CA2467869C - Origination/destination features and lists for spam prevention - Google Patents
Origination/destination features and lists for spam prevention Download PDFInfo
- Publication number
- CA2467869C CA2467869C CA2467869A CA2467869A CA2467869C CA 2467869 C CA2467869 C CA 2467869C CA 2467869 A CA2467869 A CA 2467869A CA 2467869 A CA2467869 A CA 2467869A CA 2467869 C CA2467869 C CA 2467869C
- Authority
- CA
- Canada
- Prior art keywords
- features
- address
- message
- extracted
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 230000002265 prevention Effects 0.000 title abstract description 6
- 238000000034 method Methods 0.000 claims abstract description 81
- 238000010801 machine learning Methods 0.000 claims abstract description 43
- 238000012549 training Methods 0.000 claims description 28
- 238000012545 processing Methods 0.000 claims description 22
- 239000000284 extract Substances 0.000 claims description 8
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 claims description 5
- 229910052799 carbon Inorganic materials 0.000 claims description 5
- 238000010606 normalization Methods 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims 1
- 238000001914 filtration Methods 0.000 abstract description 7
- 238000001514 detection method Methods 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 23
- 230000008569 process Effects 0.000 description 22
- 238000000605 extraction Methods 0.000 description 17
- 230000008520 organization Effects 0.000 description 13
- 239000000463 material Substances 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 230000000875 corresponding effect Effects 0.000 description 6
- 230000015556 catabolic process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000013459 approach Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 4
- 239000000945 filler Substances 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000037361 pathway Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 235000008694 Humulus lupulus Nutrition 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 208000001613 Gambling Diseases 0.000 description 1
- 240000008042 Zea mays Species 0.000 description 1
- 235000005824 Zea mays ssp. parviglumis Nutrition 0.000 description 1
- 235000002017 Zea mays subsp mays Nutrition 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000003466 anti-cipated effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 235000005822 corn Nutrition 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 239000003814 drug Substances 0.000 description 1
- 229940079593 drug Drugs 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 210000003608 fece Anatomy 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000010813 municipal solid waste Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000000682 scanning probe acoustic microscopy Methods 0.000 description 1
- 230000001568 sexual effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/40—Business processes related to the transportation industry
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/107—Computer-aided management of electronic mailing [e-mailing]
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- Economics (AREA)
- Marketing (AREA)
- Tourism & Hospitality (AREA)
- Quality & Reliability (AREA)
- Operations Research (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Primary Health Care (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
- Image Analysis (AREA)
Abstract
The present invention involves a system and method that facilitate extracting data from messages for spam filtering. The extracted data can be in the form of features which can be employed in connection with machine learning systems to build improved filters. Data associated with origination information as well as other information embedded in the body of the message that allows a recipient of the message to contact and/or respond to the sender of the message can be extracted as features. The features or a subset thereof can be normalized and/or deobfuscated prior to being employed as features of the machine learning systems. The (deobfuscated) features can be employed to populate a plurality of feature lists that facilitate spam detection and prevention. Exemplary features include an email address, an IP address, a URL, an embedded image pointing to a URL and/or portions thereof.
Description
MS303501.1 Express Mail No. EV3 300202621!S
Title: ORIGINATION/DI:S'17NATION FEATURES AND LISTS FOR SPAM
PRL-V1:NTION
TECIINICAL FIELD
This invention is related to systems and methods for identifying both legitimate (e.g.. good mail) and undesired mail. and more particularly for processing electronic messages to extract data to facilitate spam prevention-BACKGROUND OF TI IE INVENTION
The advent of global communications networks such as the Internet has presented commercial opportunities for reaching vast numbers of potential customers.
Electronic messaging. and particularly electronic mail ("email"). is becoming increasingly pervasive as a means for disseminating unwanted advertisements and promotions (also denoted as ..spans) to network users.
The Radical] Group. Inc__ a consulting and market research firm. estimates that as of August 2002. two billion junk e-mail messages are sent each day - this number is expected to triple every two years. Individuals and entities (e.g..
businesses. government agencies) are becoming increasingly inconvenienced and oftentimes offended by junk messages. As such. spam is now or soon will become a major threat to trustworthy computing.
A key technique utilized to thwart spam is employment of filtering systems/methodologies. One proven filtering technique is based upon a machine learning approach - machine learning filters assign to an incoming message a probability that the message is spam. In this approach. features typically are extracted from two classes of example messages (e.g., spam and non-spam messages), and a learning filter is applied to discriminate probabilistically between the two classes. Since many message features are related to content (e.g.. words and phrases in the subject and/or body of the message), such types of filters are commonly referred to as "content-based filters".
With the onslaught of such spam filtering techniques, many spammers have thought of ways to disguise their identities to avoid and/or bypass spam filters. Thus.
MS303501.1 conventional content-based and adaptive filters may become ineffective in recognizing and blocking disguised spam messages.
SUMMARY OF THE INVENTION
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. This summary is not an extensive overview of the invention. It is not intended to identify key/critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
Spammers can disguise almost all of the information in their messages. For instance. they can embed images. so that there are no words to use as features for a machine learning system. The images can even be distorted in ways that would make it difficult. or at least time-consuming. to use OCR software. Still. no matter how many features they remove. there is still useful information. First. the spammers must send the message from somewhere. We can detect what IP address the message was received from. Second. the spammers are almost always trying to sell something, and must therefore include a way to contact them. This could be a toll free number, but spammers.
may be reluctant to use this. because of the high cost of complaints. It could be a non-toll free number. but spammers may be reluctant to do this. because of the lower response rate. Alternatively, it could be a URL (e.g.. http://w-ww.spamcorp.com/buyenlarger.him).
This URL could be embedded in an image to make it more difficult for filters and/or software to detect. However. spammers may be reluctant to do this because the user will need to type the URL in to their browser. which could lower response rates.
The most likely ways for spammers to be contacted are embedded links, or through an embedded email address of some sort. For instance, "click here to learn more" wherein the "click here" contains a link to a specific web page that the machine learning system can detect and use in accordance with one aspect of the present invention. Similarly, the address to be replied to (e.g., typically the "from address" but sometimes the "reply-to" address if there is one), or any embedded mailto:
links (links that allow a mail message to be sent by clicking on the link). or any other embedded
Title: ORIGINATION/DI:S'17NATION FEATURES AND LISTS FOR SPAM
PRL-V1:NTION
TECIINICAL FIELD
This invention is related to systems and methods for identifying both legitimate (e.g.. good mail) and undesired mail. and more particularly for processing electronic messages to extract data to facilitate spam prevention-BACKGROUND OF TI IE INVENTION
The advent of global communications networks such as the Internet has presented commercial opportunities for reaching vast numbers of potential customers.
Electronic messaging. and particularly electronic mail ("email"). is becoming increasingly pervasive as a means for disseminating unwanted advertisements and promotions (also denoted as ..spans) to network users.
The Radical] Group. Inc__ a consulting and market research firm. estimates that as of August 2002. two billion junk e-mail messages are sent each day - this number is expected to triple every two years. Individuals and entities (e.g..
businesses. government agencies) are becoming increasingly inconvenienced and oftentimes offended by junk messages. As such. spam is now or soon will become a major threat to trustworthy computing.
A key technique utilized to thwart spam is employment of filtering systems/methodologies. One proven filtering technique is based upon a machine learning approach - machine learning filters assign to an incoming message a probability that the message is spam. In this approach. features typically are extracted from two classes of example messages (e.g., spam and non-spam messages), and a learning filter is applied to discriminate probabilistically between the two classes. Since many message features are related to content (e.g.. words and phrases in the subject and/or body of the message), such types of filters are commonly referred to as "content-based filters".
With the onslaught of such spam filtering techniques, many spammers have thought of ways to disguise their identities to avoid and/or bypass spam filters. Thus.
MS303501.1 conventional content-based and adaptive filters may become ineffective in recognizing and blocking disguised spam messages.
SUMMARY OF THE INVENTION
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. This summary is not an extensive overview of the invention. It is not intended to identify key/critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
Spammers can disguise almost all of the information in their messages. For instance. they can embed images. so that there are no words to use as features for a machine learning system. The images can even be distorted in ways that would make it difficult. or at least time-consuming. to use OCR software. Still. no matter how many features they remove. there is still useful information. First. the spammers must send the message from somewhere. We can detect what IP address the message was received from. Second. the spammers are almost always trying to sell something, and must therefore include a way to contact them. This could be a toll free number, but spammers.
may be reluctant to use this. because of the high cost of complaints. It could be a non-toll free number. but spammers may be reluctant to do this. because of the lower response rate. Alternatively, it could be a URL (e.g.. http://w-ww.spamcorp.com/buyenlarger.him).
This URL could be embedded in an image to make it more difficult for filters and/or software to detect. However. spammers may be reluctant to do this because the user will need to type the URL in to their browser. which could lower response rates.
The most likely ways for spammers to be contacted are embedded links, or through an embedded email address of some sort. For instance, "click here to learn more" wherein the "click here" contains a link to a specific web page that the machine learning system can detect and use in accordance with one aspect of the present invention. Similarly, the address to be replied to (e.g., typically the "from address" but sometimes the "reply-to" address if there is one), or any embedded mailto:
links (links that allow a mail message to be sent by clicking on the link). or any other embedded
2 MS303501.1 email addresses. Additionally. spammers often include images in messages.
Because it is expensive to mail large images over and over. spammers often embed only a special link to the image. which causes the image to he downloaded. The locations that these links point to can also he used as features.
With respect to the information pulled from the mail from address. mail reply-to address. embedded mailto: addresses. external links. and links of external images. at least a portion of such information can he used as a feature of a machine learning system. with which a weight or probability is associated: or the information can be added to a list. For instance. we can keep lists of IP addresses or from addresses that send only span. or only good mail. or more than 90% good mail. etc. The fact that a particular link or address is on such a list can be used either as a feature of a machine learning system.
or as part of any other spam filtering system. or both.
The subject invention provides a system and method that facilitate identifying disguised spam messages by examining particular portions of the messages. More specifically. the present invention involves processing a message such as electronic mail (email) to extract origination and/or destination data to distinguish spam messages from legitimate messages. The processing includes various techniques to identify and parse IP
address information. email address information. and/or universal resource locator (URL) information and to associate the extracted data with spam attributes (e.g..
good user vs.
had user or good sender vs. bad sender). A bad user or bad sender would be considered a spammer (e.g.. one who sends spam). for example.
The extracted data, or at least a portion thereof. can be used to generate feature sets for machine learning systems. Machine learning techniques examine the contents of messages to determine if the messages are spam. Spammers can obfuscate most of the contents of a message such as by putting most of their information in difficult-to-process images. However, the origin of the message cannot be fully disguised since the spammers need to provide some way for a recipient to easily contact them.
Examples of such include using a link (e.g., URL) and/or an email address (e.g., IP
address). These types of information or variations or portions thereof, can be employed as features of a spam detector. In particular, the information can be used to train a spam detector and/or spam filter by way of the machine learning systems, for example.
Because it is expensive to mail large images over and over. spammers often embed only a special link to the image. which causes the image to he downloaded. The locations that these links point to can also he used as features.
With respect to the information pulled from the mail from address. mail reply-to address. embedded mailto: addresses. external links. and links of external images. at least a portion of such information can he used as a feature of a machine learning system. with which a weight or probability is associated: or the information can be added to a list. For instance. we can keep lists of IP addresses or from addresses that send only span. or only good mail. or more than 90% good mail. etc. The fact that a particular link or address is on such a list can be used either as a feature of a machine learning system.
or as part of any other spam filtering system. or both.
The subject invention provides a system and method that facilitate identifying disguised spam messages by examining particular portions of the messages. More specifically. the present invention involves processing a message such as electronic mail (email) to extract origination and/or destination data to distinguish spam messages from legitimate messages. The processing includes various techniques to identify and parse IP
address information. email address information. and/or universal resource locator (URL) information and to associate the extracted data with spam attributes (e.g..
good user vs.
had user or good sender vs. bad sender). A bad user or bad sender would be considered a spammer (e.g.. one who sends spam). for example.
The extracted data, or at least a portion thereof. can be used to generate feature sets for machine learning systems. Machine learning techniques examine the contents of messages to determine if the messages are spam. Spammers can obfuscate most of the contents of a message such as by putting most of their information in difficult-to-process images. However, the origin of the message cannot be fully disguised since the spammers need to provide some way for a recipient to easily contact them.
Examples of such include using a link (e.g., URL) and/or an email address (e.g., IP
address). These types of information or variations or portions thereof, can be employed as features of a spam detector. In particular, the information can be used to train a spam detector and/or spam filter by way of the machine learning systems, for example.
3 The present invention can also be cooperative with parental control systems. Parental controls systems can notify a user that a message is inappropriate and can also indicate a reason for such inappropriateness such as includes pornographic material. According to one aspect of the present invention, one or more extracted and normalized features (e.g. a URL) can be passed through a parental control system or filter to obtain the parental control system's classification. This classification can be employed as an additional feature of the machine learning system to facilitate building and/or improving spam filters.
Furthermore, extracted features can be classified by type, can be weighted according to a degree of spaminess and can be designated as either positive (e.g. more likely not spam) or negative (e.g. more likely to be spam) features.
The features can also be utilized to create lists such as non-spammer lists and spammer lists, for example.
According to an aspect of the present invention, there is provided a system implemented on one or more computers that facilitates extracting data in connection with spam processing, comprising: a component implemented on one or more processors that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name; and a component that employs a subset of the extracted features in connection with building a filter, wherein the filter is at least one of stored on a computer readable storage medium, displayed on a display device, or employed by a component implemented on one or more processors.
According to another aspect of the present invention, there is provided a computer readable memory having recorded thereon statements and instructions for execution by a computer, said statements and instructions comprising code means for implementing the components of a system as described above.
Furthermore, extracted features can be classified by type, can be weighted according to a degree of spaminess and can be designated as either positive (e.g. more likely not spam) or negative (e.g. more likely to be spam) features.
The features can also be utilized to create lists such as non-spammer lists and spammer lists, for example.
According to an aspect of the present invention, there is provided a system implemented on one or more computers that facilitates extracting data in connection with spam processing, comprising: a component implemented on one or more processors that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name; and a component that employs a subset of the extracted features in connection with building a filter, wherein the filter is at least one of stored on a computer readable storage medium, displayed on a display device, or employed by a component implemented on one or more processors.
According to another aspect of the present invention, there is provided a computer readable memory having recorded thereon statements and instructions for execution by a computer, said statements and instructions comprising code means for implementing the components of a system as described above.
4 According to yet another aspect of the present invention, there is provided a method that facilitates extracting data in connection with spam processing, comprising: receiving a message; extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises at least a portion of an IP address;
wherein extracting at least a portion of the IP address comprises performing at least one of consulting a block ID directory to determine at least one block ID
corresponding to the IP address such that the block ID is extracted as an additional feature or extracting each of at least a first 1 bit up to a first 31 bits from the IP
address; and employing a subset of the extracted features in connection with building a filter.
According to a further aspect of the present invention, there is provided a system implemented on one or more computers that facilitates extracting data in connection with spam processing, comprising: a means for receiving a message;
a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name; and a means for employing a subset of the extracted features in connection with building a filter.
According to still a further aspect of the present invention, there is provided a system that facilitates extracting data in connection with spam processing, comprising: a memory; a processor coupled to the memory; a component implemented on the processor that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the component that receives the item determines a last trusted server IP address to distinguish between legitimate and fake prepended server IP addresses and the last trusted server IP address is extracted as a feature from the item; and a component implemented on the processor that employs a subset of the extracted features in connection with building a filter by 4a adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability that the message is spam when the subset of the extracted features passes through the filter.
According to another aspect of the present invention, there is provided a method that facilitates extracting data in connection with spam processing, comprising: receiving a message; extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message;
wherein a last trusted server IP address is an extracted feature from the message and a determination is made to distinguish between legitimate and fake prepended server IP addresses; and employing a subset of the extracted features in connection with building a filter by adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability of the message being spam when the subset of the extracted features passes through the filter.
According to yet another aspect of the present invention, there is provided a system that facilitates extracting data in connection with spam processing, comprising: a memory; a processor coupled to the memory; a means for receiving a message; a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message; the means for extracting the set of features that determines a last trusted server 1P
address that distinguishes between legitimate and fake prepended server IP addresses, wherein the last trusted server IP address is extracted as a feature; and a means for employing a subset of the extracted features in connection with building a filter, wherein the filter determines a probability of the message being spam.
To the accomplishment of the foregoing and related ends, certain illustrative aspects of the invention are described herein in connection with the following description and the annexed drawings. These aspects are indicative, 4b however, of but a few of the various ways in which the principles of the invention may be employed and the present invention is intended to include all such aspects and their equivalents. Other advantages and novel features of the invention may become apparent from the following detailed description of the invention when considered in conjunction with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a high-level block diagram of a system that facilitates spam prevention in accordance with an aspect of the present invention.
Fig. 2 is a block diagram of a system that facilitates spam prevention by extracting one or more features from incoming messages in accordance with an aspect of the present invention.
Fig. 3 is a schematic diagram of a plurality of features which can be extracted from an IP address in accordance with an aspect of the present invention.
Fig. 4 is a schematic diagram of a plurality of features which can be extracted from a FQDN in accordance with an aspect of the present invention.
4c MS303501.1 Fig. 5 is a schematic diagram of a plurality of features which can he extracted from an email address in accordance with an aspect of the present invention.
Figg. 6 is a schematic diagram of a plurality of features which can he extracted from a URl_ or web address in accordance with an aspect of the present invention.
Fig. 7 is a flow diagram of an exemplary method in connection with training filters in accordance with an aspect of the present invention.
Fig. 8 is a flow diagram of an exemplary method in connection with employing a trained filter in accordance with an aspect of the present invention.
Fig. 9 is a flow diagram of an exemplary method in connection with creating lists in accordance with an aspect of the present invention.
Fig. 10 is a flow diagram of an exemplary method in connection with employing lists to train filters in accordance with an aspect of the present invention.
Fig. 1 1 is a flow diagram of a process referred to in the methods of at least Figs. 7 and 8 in accordance with an aspect of the present invention.
Fig. 12 is a flow diagram of a process that facilitates distinguishing between legitimate and fake received-from IP addresses in accordance with an aspect of the present invention.
Fig. 13 is a flow diagram of a method that incorporates a parental control system in the generation and/or extraction of features from incoming messages in accordance with an aspect of the present invention.
Fig. 14 is a flow diagram of a method that facilitates creation of feature sets to be employed in machine learning system in accordance with an aspect of the present invention.
Fig. 15 is an exemplary environment for implementing various aspects of the invention.
DETAILED DESCRIPTION OF THE INVENTION
The present invention is now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It may be evident.
wherein extracting at least a portion of the IP address comprises performing at least one of consulting a block ID directory to determine at least one block ID
corresponding to the IP address such that the block ID is extracted as an additional feature or extracting each of at least a first 1 bit up to a first 31 bits from the IP
address; and employing a subset of the extracted features in connection with building a filter.
According to a further aspect of the present invention, there is provided a system implemented on one or more computers that facilitates extracting data in connection with spam processing, comprising: a means for receiving a message;
a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name; and a means for employing a subset of the extracted features in connection with building a filter.
According to still a further aspect of the present invention, there is provided a system that facilitates extracting data in connection with spam processing, comprising: a memory; a processor coupled to the memory; a component implemented on the processor that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the component that receives the item determines a last trusted server IP address to distinguish between legitimate and fake prepended server IP addresses and the last trusted server IP address is extracted as a feature from the item; and a component implemented on the processor that employs a subset of the extracted features in connection with building a filter by 4a adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability that the message is spam when the subset of the extracted features passes through the filter.
According to another aspect of the present invention, there is provided a method that facilitates extracting data in connection with spam processing, comprising: receiving a message; extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message;
wherein a last trusted server IP address is an extracted feature from the message and a determination is made to distinguish between legitimate and fake prepended server IP addresses; and employing a subset of the extracted features in connection with building a filter by adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability of the message being spam when the subset of the extracted features passes through the filter.
According to yet another aspect of the present invention, there is provided a system that facilitates extracting data in connection with spam processing, comprising: a memory; a processor coupled to the memory; a means for receiving a message; a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message; the means for extracting the set of features that determines a last trusted server 1P
address that distinguishes between legitimate and fake prepended server IP addresses, wherein the last trusted server IP address is extracted as a feature; and a means for employing a subset of the extracted features in connection with building a filter, wherein the filter determines a probability of the message being spam.
To the accomplishment of the foregoing and related ends, certain illustrative aspects of the invention are described herein in connection with the following description and the annexed drawings. These aspects are indicative, 4b however, of but a few of the various ways in which the principles of the invention may be employed and the present invention is intended to include all such aspects and their equivalents. Other advantages and novel features of the invention may become apparent from the following detailed description of the invention when considered in conjunction with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 is a high-level block diagram of a system that facilitates spam prevention in accordance with an aspect of the present invention.
Fig. 2 is a block diagram of a system that facilitates spam prevention by extracting one or more features from incoming messages in accordance with an aspect of the present invention.
Fig. 3 is a schematic diagram of a plurality of features which can be extracted from an IP address in accordance with an aspect of the present invention.
Fig. 4 is a schematic diagram of a plurality of features which can be extracted from a FQDN in accordance with an aspect of the present invention.
4c MS303501.1 Fig. 5 is a schematic diagram of a plurality of features which can he extracted from an email address in accordance with an aspect of the present invention.
Figg. 6 is a schematic diagram of a plurality of features which can he extracted from a URl_ or web address in accordance with an aspect of the present invention.
Fig. 7 is a flow diagram of an exemplary method in connection with training filters in accordance with an aspect of the present invention.
Fig. 8 is a flow diagram of an exemplary method in connection with employing a trained filter in accordance with an aspect of the present invention.
Fig. 9 is a flow diagram of an exemplary method in connection with creating lists in accordance with an aspect of the present invention.
Fig. 10 is a flow diagram of an exemplary method in connection with employing lists to train filters in accordance with an aspect of the present invention.
Fig. 1 1 is a flow diagram of a process referred to in the methods of at least Figs. 7 and 8 in accordance with an aspect of the present invention.
Fig. 12 is a flow diagram of a process that facilitates distinguishing between legitimate and fake received-from IP addresses in accordance with an aspect of the present invention.
Fig. 13 is a flow diagram of a method that incorporates a parental control system in the generation and/or extraction of features from incoming messages in accordance with an aspect of the present invention.
Fig. 14 is a flow diagram of a method that facilitates creation of feature sets to be employed in machine learning system in accordance with an aspect of the present invention.
Fig. 15 is an exemplary environment for implementing various aspects of the invention.
DETAILED DESCRIPTION OF THE INVENTION
The present invention is now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It may be evident.
5 MS303501 .1 however. that the present invention may he practiced without these specific details. In other instances. well-known structures and devices are shown in block diagram form in order to facilitate describing the present inention.
As used in this application. the terms "component" and "system" are intended to refer to a computer-related entity. either hardware. a combination of hardware and software. software. or software in execution. For example. a component may be.
but is not limited to being. a process running on a processor. a processor- an object. an executable. a thread of execution. a program. and/or a computer. By way of illustration.
both an application running on a server and the server can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.
The subject invention can incorporate various inference schemes and/or techniques in connection with generating training data for machine learned span filtering. As used herein. the term "inference" refers generally to the process of reasoning about or inferring states of the system. environment. and/or user from a set of observations as captured via events and/or data. Inference can be employed to identify a specific context or action. or can generate a probability distribution over states. for example. The inference can be probabilistic - that is. the computation of a probability distribution over states of interest based on a consideration of data and events. Inference can also refer to techniques employed for composing higher-level events from a set of events and/or data. Such inference results in the construction of new events or actions from a set of observed events and/or stored event data, whether or not the events are correlated in close temporal proximity. and whether the events and data come from one or several event and data sources.
It is to be appreciated that although the term message is employed extensively throughout the specification, such term is not limited to electronic mail per se, but can be suitably adapted to include electronic messaging of any form that can be distributed over any suitable communication architecture. For example, conferencing applications that facilitate a conference between two or more people (e.g., interactive chat programs, and instant messaging programs) can also utilize the filtering benefits disclosed herein, since unwanted text can be electronically interspersed into normal chat messages as users
As used in this application. the terms "component" and "system" are intended to refer to a computer-related entity. either hardware. a combination of hardware and software. software. or software in execution. For example. a component may be.
but is not limited to being. a process running on a processor. a processor- an object. an executable. a thread of execution. a program. and/or a computer. By way of illustration.
both an application running on a server and the server can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.
The subject invention can incorporate various inference schemes and/or techniques in connection with generating training data for machine learned span filtering. As used herein. the term "inference" refers generally to the process of reasoning about or inferring states of the system. environment. and/or user from a set of observations as captured via events and/or data. Inference can be employed to identify a specific context or action. or can generate a probability distribution over states. for example. The inference can be probabilistic - that is. the computation of a probability distribution over states of interest based on a consideration of data and events. Inference can also refer to techniques employed for composing higher-level events from a set of events and/or data. Such inference results in the construction of new events or actions from a set of observed events and/or stored event data, whether or not the events are correlated in close temporal proximity. and whether the events and data come from one or several event and data sources.
It is to be appreciated that although the term message is employed extensively throughout the specification, such term is not limited to electronic mail per se, but can be suitably adapted to include electronic messaging of any form that can be distributed over any suitable communication architecture. For example, conferencing applications that facilitate a conference between two or more people (e.g., interactive chat programs, and instant messaging programs) can also utilize the filtering benefits disclosed herein, since unwanted text can be electronically interspersed into normal chat messages as users
6 ^1 MS30 3501.1 exchange messages and/or inserted as a lead-off message- a closing message- or all of the above. In this particular application. a filler can he trained to automatically filter particular message content (text and images) in order to capture and tag as spam the undesirable content (e.g.. commercials- promotions. or advertisements).
In the subject invention. the term "recipient"' refers to an addressee of an incoming message or mail item. The term "user" can refer to a recipient or a sender.
depending on the context. For example. a user can refer to an email user who sends spam and/or a user can refer to an email recipient who receives the span. depending on the context and application of the term.
An Internet Protocol (IP) address is a 32 hit number typically representing a machine on the internet. These numbers are used when two machines communicate-Thev are typically represented in the form "xxx.xxx.xxx.xxx". where each xxx is between 0 and 255. Unfortunately. IP addresses are difficult to remember. Because of this. the "domain name" and "host name" conventions have been created. A "domain name'-is the name of a group of machines on the internet (perhaps a single machine).
and is typically of the form "x.com-`. or "v.edu''. or "courts.wa.gov'-.
A Fully Qualified Domain Name (FQDN) is a particular machine on the internet.
e.g., "b.x.com" or "c.y.edu" or "www.courts.wa.gov": the domain name portion is "x.com" or "y.edu" or "courts.wa.gov 'respectively. The "b". "c". and "www"
portions.
respectively, are called the host name portion of the FQDN. In general, an 1P
address can be used in any situation in which a domain name can be used (e.g.. "DN/]P'' indicates that both possibilities exist). Also in general, an IP address can be used in any situation in which an FQDN can be used (e.g.. "FQDN/IP" indicates that both possibilities exist).
An email address consists of a user name and a domain name or lP address (DN/IP), e.g., "a@x.com" or "a@I.2.3.4"_ In both examples, the user name is "a.'' Uniform Resource Locators (URLs) are typically of the form "service-name:FQDN/IP/url-path." For instance.
"hitp://www.microsoft.com/windows/help.htm"
i a URL. The portion "http" is the service name. The portion "wwvw.microsoft.com" is the FQDN and "windows/help.htm" is the URL-path. This is somewhat of a simplification of URLs, but sufficient for the present discussion.
In the subject invention. the term "recipient"' refers to an addressee of an incoming message or mail item. The term "user" can refer to a recipient or a sender.
depending on the context. For example. a user can refer to an email user who sends spam and/or a user can refer to an email recipient who receives the span. depending on the context and application of the term.
An Internet Protocol (IP) address is a 32 hit number typically representing a machine on the internet. These numbers are used when two machines communicate-Thev are typically represented in the form "xxx.xxx.xxx.xxx". where each xxx is between 0 and 255. Unfortunately. IP addresses are difficult to remember. Because of this. the "domain name" and "host name" conventions have been created. A "domain name'-is the name of a group of machines on the internet (perhaps a single machine).
and is typically of the form "x.com-`. or "v.edu''. or "courts.wa.gov'-.
A Fully Qualified Domain Name (FQDN) is a particular machine on the internet.
e.g., "b.x.com" or "c.y.edu" or "www.courts.wa.gov": the domain name portion is "x.com" or "y.edu" or "courts.wa.gov 'respectively. The "b". "c". and "www"
portions.
respectively, are called the host name portion of the FQDN. In general, an 1P
address can be used in any situation in which a domain name can be used (e.g.. "DN/]P'' indicates that both possibilities exist). Also in general, an IP address can be used in any situation in which an FQDN can be used (e.g.. "FQDN/IP" indicates that both possibilities exist).
An email address consists of a user name and a domain name or lP address (DN/IP), e.g., "a@x.com" or "a@I.2.3.4"_ In both examples, the user name is "a.'' Uniform Resource Locators (URLs) are typically of the form "service-name:FQDN/IP/url-path." For instance.
"hitp://www.microsoft.com/windows/help.htm"
i a URL. The portion "http" is the service name. The portion "wwvw.microsoft.com" is the FQDN and "windows/help.htm" is the URL-path. This is somewhat of a simplification of URLs, but sufficient for the present discussion.
7 MS303501.1 Referring now to Fig. 1. there is illustrated a general block diagram of a feature extraction and training system 100 in accordance with an aspect of the present invention.
The feature extraction and training system 100 involves processing incoming messages 1 10 to extract data or features from the messages. Such features can be extracted from at least a portion of the origination and/or destination information provided in the message and/or variations thereof. In particular. one or more incoming messages 1 10 can be received by the system 100 via a message receiving component 120. The message receiving component 120 can be located on an email or message server. for example. to receive the incoming messages 110. Though some messages (e.g., at least one) can be vulnerable to an existing filler (e.g.. spam. junk mail. parental control filter). and thus diverted to a trash bin or junk mail folder. at least a portion of the origination and/or destination data can be extracted and deobfuscated for use in connection with a machine learning system or with populating a feature list.
The message receiving component 120 can pass the incoming messages. or a subset thereof. to a feature extraction component 130. The feature extraction component 130 can extract data from the respective messages 1 10 in order to generate feature sets to facilitate filter training and ultimately sparn detection. Tile data or features extracted from the messages relate to origination and/or destination information found and/or embedded therein. Examples of data or features include a received-from IP
address. a reply-to email address. a cc: (e.g.. carbon copy) email address. URLs of various sorts (including text-based links. image-based links- and URLs or portions thereof in text form), a non-toll free telephone number (e.g_. particularly an area code), toll-free telephone number. a mailto: email address link. a text form email address, a FQDN in a SMTP HELO command. a SMTP MAIL FROM address/return-path address. and/or at least a portion of any of the above.
The feature extraction component 130 can perform any suitable number of processes to extract various sets of features from the message 110 for subsequent use in machine learning systems. In addition or alternatively, the sets of features can be used to populate lists for other filter training techniques.
FQDNs such as a.x.com, for instance, can be translated into numbers generally referred to as an IP address. The IP address is typically observed in a dotted decimal
The feature extraction and training system 100 involves processing incoming messages 1 10 to extract data or features from the messages. Such features can be extracted from at least a portion of the origination and/or destination information provided in the message and/or variations thereof. In particular. one or more incoming messages 1 10 can be received by the system 100 via a message receiving component 120. The message receiving component 120 can be located on an email or message server. for example. to receive the incoming messages 110. Though some messages (e.g., at least one) can be vulnerable to an existing filler (e.g.. spam. junk mail. parental control filter). and thus diverted to a trash bin or junk mail folder. at least a portion of the origination and/or destination data can be extracted and deobfuscated for use in connection with a machine learning system or with populating a feature list.
The message receiving component 120 can pass the incoming messages. or a subset thereof. to a feature extraction component 130. The feature extraction component 130 can extract data from the respective messages 1 10 in order to generate feature sets to facilitate filter training and ultimately sparn detection. Tile data or features extracted from the messages relate to origination and/or destination information found and/or embedded therein. Examples of data or features include a received-from IP
address. a reply-to email address. a cc: (e.g.. carbon copy) email address. URLs of various sorts (including text-based links. image-based links- and URLs or portions thereof in text form), a non-toll free telephone number (e.g_. particularly an area code), toll-free telephone number. a mailto: email address link. a text form email address, a FQDN in a SMTP HELO command. a SMTP MAIL FROM address/return-path address. and/or at least a portion of any of the above.
The feature extraction component 130 can perform any suitable number of processes to extract various sets of features from the message 110 for subsequent use in machine learning systems. In addition or alternatively, the sets of features can be used to populate lists for other filter training techniques.
FQDNs such as a.x.com, for instance, can be translated into numbers generally referred to as an IP address. The IP address is typically observed in a dotted decimal
8 MS303501.1 format comprising four blocks of numbers. Each block is separated by a dot or decimal point and each block of numbers can range from 0 to 255. wherein each variation of numbers corresponds to a different Internet name. For example. a_x.com could translate to 123.124.125.126 whereas 121.124.125.126 could represent drstuv.com. Because numbers are not as easily recognizable or memorable as words. IP addresses are usually referred to by their respective FQDNs. The same IP address in dotted decimal format can also be expressed in alternative formats which will be discussed below.
According to one aspect of the subject invention. the feature extraction component 130 can focus on the received-from 11" address(s) included in the message 110. The received-from IP address is based at least in part upon the received-from IP
information. Generally. mail sent over the Internet is transported from server to server involving as few as two servers (e.g.. a sender and a receiver) at times. In even rarer occurrences. a client can send directly to a server. In some cases. many more servers can be involved such that mail or messages are sent from one server to another due to the presence of firewalls. for example. In particular. some servers can be located on the inside of a firewall. and thus can only communicate with designated servers on the other side of the firewall. This causes an increase in the number of hops the message takes to get from the sender to the receiver. The received-from lines comprising the IP
addresses facilitate tracing the path of the message to ascertain where the message came from.
As the message l 10 travels from server to server. each server which is contacted prepends the identity of the IP address that it received the message from to a received-from field (i.e.. "Received:" field) of the message. as well as the name of the alleged FQDN of the server it is talking to. This FQDN is told to the receiving server by the sending server, through the HELO command of the SMTP protocol, and thus cannot be trusted if the sending server is outside the organization. For example. the message can have five received from lines with 5 IP addresses and FQDNs prepended, thus indicating that it has passed through six different servers (i.e., been passed 5 times), with the lines in the reverse order in which they were prepended (i.e., latest first). However, each server has the ability to modify any lower (earlier prepended) lines. This can be particularly problematic especially when the message has traveled between multiple servers.
Because each intermediate server is capable of altering any earlier written (lower) received-from
According to one aspect of the subject invention. the feature extraction component 130 can focus on the received-from 11" address(s) included in the message 110. The received-from IP address is based at least in part upon the received-from IP
information. Generally. mail sent over the Internet is transported from server to server involving as few as two servers (e.g.. a sender and a receiver) at times. In even rarer occurrences. a client can send directly to a server. In some cases. many more servers can be involved such that mail or messages are sent from one server to another due to the presence of firewalls. for example. In particular. some servers can be located on the inside of a firewall. and thus can only communicate with designated servers on the other side of the firewall. This causes an increase in the number of hops the message takes to get from the sender to the receiver. The received-from lines comprising the IP
addresses facilitate tracing the path of the message to ascertain where the message came from.
As the message l 10 travels from server to server. each server which is contacted prepends the identity of the IP address that it received the message from to a received-from field (i.e.. "Received:" field) of the message. as well as the name of the alleged FQDN of the server it is talking to. This FQDN is told to the receiving server by the sending server, through the HELO command of the SMTP protocol, and thus cannot be trusted if the sending server is outside the organization. For example. the message can have five received from lines with 5 IP addresses and FQDNs prepended, thus indicating that it has passed through six different servers (i.e., been passed 5 times), with the lines in the reverse order in which they were prepended (i.e., latest first). However, each server has the ability to modify any lower (earlier prepended) lines. This can be particularly problematic especially when the message has traveled between multiple servers.
Because each intermediate server is capable of altering any earlier written (lower) received-from
9 1 }
MS30 3501.1 lines. spammers can prepend fake lP addresses to the received-from lines of the message to disguise the received-from IP inforniation or sender of the spam message.
For example. a spam message may initially appear as if it was sent from trusteddomain.com.
thus misrepresenting the true source of the message to the recipient.
It is important for spam software to readily identify an 11' address outside the organization that sent to a server inside the organization. Since this 11"
address is written by the receiving server. inside the organization- it can be trusted as the correct IP address.
All other IP addresses outside the organization cannot be trusted. since they were written by servers outside the organization. and thus. possibly modified. There may be many 11"
addresses of the sending servers involved in the path to the recipient organization. but since only one can be trusted. we refer to this one trustworthy one as the "sender's- IP
address.
One way for spam filtering software to find this sender's IP address is to know the mail server configurations at an organization. In general. if one knows which machines pass to which other machines in which situations. one can determine the sender's IP
address. However. it may not be convenient to describe the server configuration.
especially for spam filtering software installed on email clients. An alternate approach involves utilizing MX records to determine the true source of a message. MX
records list. for each domain name. the FQDNs of recipients of email for that domain.
One can trace back through the received from list until an IP address is found that corresponds to an FQDN corresponding to an entry in the domain's MX record. The IP addresses that this machine received from is the sender's IP address. Imagine that 1.2.3.101 is the only MX record for x.com. Then by finding the line that received from 1.2.3.101.
one can know the next line corresponds to x.com's incoming mail server. and thus that the IP
address in that line corresponds to the IP address that sent to x.com.
The table below depicts an exemplary analysis as discussed supra of determining the true source of a message:
line comment Received: from a . x . com Internal to x.com ([1.2.3.1001) by b.x.com Tue, 1 ~
MS303501.1 2 P.Fr 2003 13.1148 -0 70 --- -eecei-:ed: from mai1server .x.Ccn 1.2.3. 101 is an MX record for x.com so we Ii.2.~.10i]i b b.x.cc?n Tu know next line is first internal to x.com 22 .-:or 2003 12.11.48 - "~C0 Fece <<-ed: romp outside.ecm This is where x.com received the message:
14 " c " J ] ) by this is the last trusted line. Use 4.5.6.7 as mal.lserver.x.ccm Tue, 22 fir sender's IP address 2003 11:11:48 -0700 Received: from trustedser,der.ccm This line may be fake. constructed b\-8 . 9. 10 11] ) by outside. cony server at 4.5.6.7 Tue, 22 Apr 2003 10:11:48 -Currently. there is no accepted standard for listing outgoing mail servers.
and this heuristic can fail if for instance. IP addresses internal to an organization are different than those external to an organization. or if an organization sends mail from one machine listed in an MX record indirectly to another machine listed in an MX record.
Further- in the special case where the sender's IP as found above is found to he internal to the organization- as could happen if one machine in the MX record sent to another in the MX
record. the process is continued as above. In addition. certain IP addresses can be detected as internal (because they are of the form 10.x.v.z or 172.16.y.z through 1 72.31.y.z or 192.168Øz through 192.168.255.z. a form used only for internal IP
addresses); any address internal to an organization can be trusted. Finally-if a received from line is of the form "Received from a.x.com 11.2.3.1001" and an IP address lookup of a.x.com yields 1.2.3.100 or a reverse IP address lookup of 1.2.3.100 yields a.x.corn and if x.com is the organization. then the next line can also be trusted.
Using these observations, it is often possible to find the sender's IP
address.
Exemplary pseudocode is as follows:
bool fFoundHostlnMX;
If (external IP address of MX records matches internal IP
address of MX records) {
MS303501.1 fFoundHostlnMX = FALSE; # it's worth looking for } else {
fFoundHostlnMX = TRUE; # it's not worth looking for, pretend we already found it }
for each received from line of the form Received from a.b.c (i.j.k.l} {
if i.j.k.l in MX records of receiver domain {
fFoundHostlnMX = TRUE;
continue;
}
if not fFoundHostlnMX
{
# Has not yet gone through an MX record, must be internal continue;
}
if i.j.k.1 is of form
MS30 3501.1 lines. spammers can prepend fake lP addresses to the received-from lines of the message to disguise the received-from IP inforniation or sender of the spam message.
For example. a spam message may initially appear as if it was sent from trusteddomain.com.
thus misrepresenting the true source of the message to the recipient.
It is important for spam software to readily identify an 11' address outside the organization that sent to a server inside the organization. Since this 11"
address is written by the receiving server. inside the organization- it can be trusted as the correct IP address.
All other IP addresses outside the organization cannot be trusted. since they were written by servers outside the organization. and thus. possibly modified. There may be many 11"
addresses of the sending servers involved in the path to the recipient organization. but since only one can be trusted. we refer to this one trustworthy one as the "sender's- IP
address.
One way for spam filtering software to find this sender's IP address is to know the mail server configurations at an organization. In general. if one knows which machines pass to which other machines in which situations. one can determine the sender's IP
address. However. it may not be convenient to describe the server configuration.
especially for spam filtering software installed on email clients. An alternate approach involves utilizing MX records to determine the true source of a message. MX
records list. for each domain name. the FQDNs of recipients of email for that domain.
One can trace back through the received from list until an IP address is found that corresponds to an FQDN corresponding to an entry in the domain's MX record. The IP addresses that this machine received from is the sender's IP address. Imagine that 1.2.3.101 is the only MX record for x.com. Then by finding the line that received from 1.2.3.101.
one can know the next line corresponds to x.com's incoming mail server. and thus that the IP
address in that line corresponds to the IP address that sent to x.com.
The table below depicts an exemplary analysis as discussed supra of determining the true source of a message:
line comment Received: from a . x . com Internal to x.com ([1.2.3.1001) by b.x.com Tue, 1 ~
MS303501.1 2 P.Fr 2003 13.1148 -0 70 --- -eecei-:ed: from mai1server .x.Ccn 1.2.3. 101 is an MX record for x.com so we Ii.2.~.10i]i b b.x.cc?n Tu know next line is first internal to x.com 22 .-:or 2003 12.11.48 - "~C0 Fece <<-ed: romp outside.ecm This is where x.com received the message:
14 " c " J ] ) by this is the last trusted line. Use 4.5.6.7 as mal.lserver.x.ccm Tue, 22 fir sender's IP address 2003 11:11:48 -0700 Received: from trustedser,der.ccm This line may be fake. constructed b\-8 . 9. 10 11] ) by outside. cony server at 4.5.6.7 Tue, 22 Apr 2003 10:11:48 -Currently. there is no accepted standard for listing outgoing mail servers.
and this heuristic can fail if for instance. IP addresses internal to an organization are different than those external to an organization. or if an organization sends mail from one machine listed in an MX record indirectly to another machine listed in an MX record.
Further- in the special case where the sender's IP as found above is found to he internal to the organization- as could happen if one machine in the MX record sent to another in the MX
record. the process is continued as above. In addition. certain IP addresses can be detected as internal (because they are of the form 10.x.v.z or 172.16.y.z through 1 72.31.y.z or 192.168Øz through 192.168.255.z. a form used only for internal IP
addresses); any address internal to an organization can be trusted. Finally-if a received from line is of the form "Received from a.x.com 11.2.3.1001" and an IP address lookup of a.x.com yields 1.2.3.100 or a reverse IP address lookup of 1.2.3.100 yields a.x.corn and if x.com is the organization. then the next line can also be trusted.
Using these observations, it is often possible to find the sender's IP
address.
Exemplary pseudocode is as follows:
bool fFoundHostlnMX;
If (external IP address of MX records matches internal IP
address of MX records) {
MS303501.1 fFoundHostlnMX = FALSE; # it's worth looking for } else {
fFoundHostlnMX = TRUE; # it's not worth looking for, pretend we already found it }
for each received from line of the form Received from a.b.c (i.j.k.l} {
if i.j.k.l in MX records of receiver domain {
fFoundHostlnMX = TRUE;
continue;
}
if not fFoundHostlnMX
{
# Has not yet gone through an MX record, must be internal continue;
}
if i.j.k.1 is of form
10.x.y.z or 172.16.y.z to 172.31.y.z or 192.168Øz to 192.168.255.z {
# Must be internal continue;
}
if DNS lookup of a.b.c yields i.j.k.1 and b.c is receiver domain {
# Must be internal continue;
ti MS303501.1 }
Output sender's alleged FQDN a.b.c and sender's actual IP address i.j.k.k }
If we reach here, then Error: unable to identify sender's alleged FQDN and sender's actual IP address Many things can be done with the senders IP address. as with other origination and destination features. First, they can be added to a list of uniformly bad senders.
sometimes known as a Black List. The Black Lists can be employed subsequently to filter. block. or redirect untrustworthy messages to an appropriate folder or location where they can be further investigated.
Other types of lists can also be generated and implemented as filters on both client- and server-based architectures. In the client architecture. a user can inform the client email software who he should be receiving mail from (e.g., mailing lists.
individuals. etc). A list of records corresponding to trusted email addresses can be generated either manually or automatically by the user. Accordingly. imagine that a sender having an email address 'b@zyx.com' sends the user an email message.
The senders email address b@zyx.com comprises a user name. 'b'. and an FQDN/IP
`zyx.com-. When the client receives the incoming message l 10 from the sender (b(&zvx.com), it can search a trusted sender list for the user's email address to determine if the user has indicated that 'b@zyx.com' is a valid and trusted address. For server architectures. the lists can be located directly on the server. Therefore. as messages arrive at the message server. their respective features (e.g.. sender's IP
address. domain name(s) in MAIL FROM or HELO fields, and other origination and/or destination information) can be compared to the lists located on the message server.
Messages that are determined to be from valid senders can be delivered to the intended recipients according to either client-based or server-based delivery protocols. However.
messages determined to include origination or destination features in lists of questionable or bad features can be moved to a Spam or junk mail folder for discard, or otherwise specially treated.
MS 303501.1 As an alternative to populating lists of trusted or had origination features.
the sender's origination features (e.g.. 113 address. alleged From address) can be extracted as one or more features and later used in connection with machine learning techniques for filter building and/or training.
The IP address can be derived from an email address (e. g., IP lookup on the FQDN in the sender's address or reply-to address) in any part of a message header or from an lP address lookup of the domain name portion of a URL link embedded in a body of the message. or directly from an 11' address if it occurs as the FQDN/1P portion of a URL. Furthermore. as will be described later. the IP address has several attributes.
each of which can be utilized as a feature of a machine learning system or as an element on a user-populated list. Thus. in a second approach. the feature extraction component 130 can exploit the many subparts of the IP address(s) to generate additional features.
Any combination of features as described above can be extracted from each incoming message l 10. Messages can be randomly. automatically. and/or manually selected to participate in feature extraction. although typically all messages can be used.
The extracted sets of features are subsequently applied to a filter training component 140 such as machine learning systems or any other system.thatbuilds and/or trains filters 150 such as spam filters.
Referring now to Fig. 2. there is illustrated a feature extraction system 200 that facilitates deobfuscating or normalizing one or more features of an incoming message 210 in accordance with one aspect of the present invention. Ultimately. a filter(s) can be built based at least in part upon one or more of the normalized features. The system 200 comprises a feature extractor component 220 that receives an incoming message either directly as shown or indirectly by way of a message receiver (Fig. 1).
for example.
Incoming messages selected for or participating in feature extraction can be subjected to the system 200, according to user preferences. Alternatively, substantially all incoming messages can be available for and participate in the feature extraction.
Feature extraction involves pulling out one or more features 230 (also referred to as FEATURE, 232. FEATURE2 234, and FEATUREõ 236, where M is an integer greater than or equal to one) associated with origination and/or destination information from the message 210. Origination information can relate to elements indicating the sender of the MS303501 .1 message as well as server domain names and related identification information that specifies from where the message came. Destination information can relate to elements of a message indicating to whom or where the recipient can send his response to the message. Origination and destination information can be found in a header of the message as well as in the body of the message either visible or invisible (e.g.. embedded as text or in image) to the message recipient.
Because spammers tend to disguise and/or obfuscate their identity frequently to avoid detection by conventional spam filters. the system 200 comprises a feature normalizer component 240 that facilitates deobfuscating the one or more extracted features 230. or at least portions thereof. The feature norrrializer component 240 can process and/or breakdown the extracted features 230 such as by analyzing the extracted features 230 (e.g.. the FQDN -- consulting a directory of blocks and MX
records and/or translating the FQDN according to its current format) and then comparing them to a database(s) of existing spammer lists. non-spammer lists. and/or parental control lists. for example. In some cases as discussed infru in Fig. 4. such as when the extracted feature is a URL prefixes and/or suffixes may also be removed to facilitate normalizing the feature and identifying whether the URL points to a spammer's website or to a legitimate source.
Once the features are normalized. at least a subset of them 250 can then be employed by a training system 260 such as a machine learning system. to build and/or update a filter(s) 270. The filler(s) can be trained for use as a spam filter and/or a junk-mail filter. for example. Furthermore. the filler(s) can be built and/or trained with positive features such as those which indicate a non-spam source (e.g..
sender's From email address, sender's IP address, embedded telephone numbers. and/or URL) and/or a non-spam sender as well as with negative features such as those that identify and are associated with a spammer.
Alternatively or in addition, the set of features can be utilized to populate a new or add to an existing spam feature list 280. Other lists can also be generated to correspond to the particular extracted features such as a list of good addresses. a list of bad addresses.
a list of good URLs, a list of bad URLs. a list of good telephone numbers, and a list of bad telephone numbers. Good feature lists can identify non-spammers.
historically legitimate senders, and/or senders having a higher likelihood of non-spamminess (e.g..
MS303501.1 -90% chance not seam source). Conversely. bad feature lists can correspond to spammers. potential spammers. and/or senders having a relatively higher likelihood of spamminess (e.g_. -90% spam source).
Referring now to Figs. 3-6. there are illustrated exemplary features which can be derived and extracted from an IP address, a FQDN. an email address and a URL.
respectively. to facilitate spam detection and prevention in accordance with several aspects of the present invention.
Fig. 3 depicts an exemplary breakdown of an IP address 300 in accordance with an aspect of the present invention. An IP address 300 is 32 bits long and allocated into blocks (e.g.. netblocks) when expressed in dotted decimal format (e.g.. 4 blocks of up to 3 digits each. wherein each block is separated by periods and wherein each block of 3 digits is any number divisible between 0 and 255). The blocks are assigned to classes such as Class A. Class B. and Class C. Each block comprises a set number of IP
addresses wherein the number of IP addresses per block varies according to the class.
That is. depending on the class (i.e.. A. B, or Q. there can be more or less addresses assigned per block. The block size is usually a power of 2 and a set of IP
addresses in the same block will share the first k binary digits and differ in the last 32-k (e.g.. 32 minus k) binary digits. Thus. each block can be identified (block ID 302) according to its shared first k bits. In order to determine the block ID 302 associated with the particular IP
address 300. a user can consult a directory of blocks such as arin.net.
Moreover, the block ID 302 can be extracted and employed as a feature.
In some circumstances, however. the block ID 302 cannot be readily determined even by referencing arin.net because groups of IP addresses within a block can be sold up divided and re-sold any number of times. In such instances, a user or extraction system can make one or more guesses at the block IDs 302 for the respective IP
addresses. For example. the user can extract at least a first I bit 304. at least a first 2 bits 306, at least a first 3 bits 308, at least a first M bits 310 (i.e., M is an integer greater or equal to one) and/or up to at least a first 31 bits 312 as separate features for subsequent use by a machine learning system and/or as elements on a feature list(s) (e.g., good feature lists.
spam feature lists, etc.).
MS303501.1 In practice. for instance. the first I bit of an IP address can be extracted and employed as a feature to determine whether the lP address points to a spammer or non-spammer. The first I bit from other IP addresses extracted from other messages can be compared to facilitate determining at least one block ID. Identifying at least one block ID can then assist discerning whether the message is from a spammer. Moreover.
lP
addresses which share the first M bits can be compared with respect to their other extracted features to ascertain whether the IP addresses are from legitimate senders and/or whether the respective messages are spain.
IP addresses can also be arranged hierarchically (314). That is. a set of high order bits may be allocated to a particular country. That country can allocate a subset to an ISP
(Internet Service Provider). and that ISP may then allocate a subset to a particular company. Accordingly. various levels can be meaningful for the same IP
address. For example. the fact that an IP address comes from a block allocated for Korea could be useful in determining whether the IP address is associated with a spammer. If the 11"
address is part of a block allocated to an ISP with a strict policy against spammers. this also could be useful in determining that the IP address is not associated with a spammer.
Hence. by employing each of the first 1-31 bits of an IP address in combination with the hierarchal arrangement 314 of at least a subset of IP addresses. a user can automatically learn information at different levels without actually knowing the manner in which an IP
address was allocated (e.g.. without knowing the block IDs).
In addition to the features discussed above. a feature's rarity 316 (e.g..
occurrence of feature is not common enough) can be determined by performing suitable calculations and/or employing statistical data comparing the frequency or count in which the feature appears in a sampling of incoming messages, for instance. In practice, an uncommon IP
address 300 may be an example of a dial-up line being used to deliver email, which is a tactic often used by spammers. Spammers tend to modify their identity and/or location frequently. Thus. the fact that a feature is common or uncommon may be useful information. Hence, a feature's rarity 316 can be used as a feature of the machine learning system and/or as a part of at least one list (e.g.. rare feature list).
Fig. 4 demonstrates an exemplary feature breakdown of a FQDN 400, such as for example. b.x.com. The FQDN 400 can be extracted from a HELO field, for instance, MS303501.1 (e.g.. senders alleged FQDN) and typically comprises a host name 402 and a domain name 404. The host name 402 refers to a particular computer. which is "b"
according to the example. The domain name 404 refers to the name of at least one machine or a group of machines on the internet. In the instant example. "x.com" represents the domain name 404. A hierarchal breakdown of the FQDN 400 is represented by 406. In particular.
B.X.COM 408 (full FQDN 400) can be partially stripped down to X.COM 410 (partial FQDN). which then can be stripped down to COM 412 (partial FQDN). whereby each partial FQDN can be employed as a feature.
Some features. such as received-from information. exist primarily as IP
addresses.
Thus. it may be useful to convert the FQDN 400 to an IP address 300 that can be broken down into additional features (as shown in Fig. 3) because it is relatively easy to create new host names and domain names. but relatively difficult to obtain new IP
addresses.
Unfortunately. owners of a domain can make apparently different machines all map to the same place. For instance. the owner of a machine named "a.x.com'`
could be the same as the owner of "b.x.com" which could be the same owner of "x.com".
Thus.
the spammer could easily mislead a conventional filter to believe that the message is from the FQDN 400 "b.x.com" instead of from the domain 404 "x.com"'. thereby allowing the message to pass by the spam filter when in actuality. the domain 404 "x.com"
would have indicated that the message was spam or was more likely to be spam. Hence.
it can be useful to strip the address down to simply the domain name 404 when extracting the origination and/or destination information of the message. Alternatively or in addition.
the full FQDN 400 can be extracted as a feature.
In some cases. additional resources are available, such as parental control systems. These resources can often assign a "type" or qualitative assessment.
such as pornographic or violent. to host names and/or to URLs. The extracted features can be further classified by type, using such a resource. The feature type 414 of the feature can then be used as an additional feature in connection with building and/or training improved spam related filters. Alternatively, lists can be generated corresponding to different feature types which have previously been identified. The features types 414 can include, but are not limited to, sex or pornographic related features, racial and/or hate-MS 303501.1 speech related features. physical enhancement features. income or financial solutions features. home-buying features. etc. which identify general subject matter of messages.
Finally. the rarity of a feature 316 or of a feature type (see Fig. 3. supra) can be another feature as discussed above in Fig. 3. For example. a feature extracted from a message such as the host name "B" 402 from the FQDN 400 " b.x_com" may be a common example of the feature type: pornographic material. Therefore. when this feature is extracted from the message and then found on a pornographic material feature list. it can be concluded that the message is more likely to be spam. or is unsuitable/inappropriate for all ages. or constitutes adult content (e.g..
adult rating). and the like. Thus. each list can comprise the more common features of that particular type.
Alternatively. the corresponding IP address may be commonly found in spam messages in general and thus designated as a common feature of spam. Moreover. a feature's commonality and/or rarity can be employed as a separate feature for machine learning or other rule-based systems.
Fig. 5 demonstrates an exemplary feature breakdown of an email address 500:
a c b.x.com. which includes a FQDN 400 as well as a few additional features.
such as a user name 502. The email address 500 can be extracted from the From field. the cc (carbon copy) field. and the reply-to field of a message. as well as from any of the mailto:
links in the body of the message (e.g_. mai)to: links are a special kind of link that when clicked. generates mail to a particular address). and. if available, from the MAIL FROM
command used in the SMTP protocol. Email addresses 500 can also be embedded as text in the body of the message. In some cases. the message content may direct a recipient to use the `reply all' function when responding to the message. In such cases.
the addresses in the cc field and/or at least a portion of those included in the `to' field (if more than one recipient is listed) would also be replied to. Thus, each of these addresses could be extracted as one or more features to facilitate spammer identification and prevention.
The email address 500 `a@b.x.com' can be broken down to various elements or subparts and those elements can be extracted and employed as features as well.
In particular, the email address comprises a user name 502 and an FQDN 504 (e.g..
see FQDN 400 in Fig. 4) which can be broken down even further into additional features.
MS 303501.1 For several practical reasons. such as ease of use. recognition. and recollection. email addresses are usually notated using FQDNs rather than IP addresses.
In the current example. 'a!ab.x.com' comprises the user name 502 "a". Thus.
"a""
can be extracted as one feature. Likewise. the FQDN 504 '-b.x.com" can be extracted from the email address as at least one other feature. The FQDN 504 portion of the email address 500 can be passed through a parental control filter in order to facilitate determining the feature type 414. which is described in greater detail. supra.
in Fig. 4.
Hence. the feature type as it relates to the FQDN portion of the email address 500 can be used as an additional feature.
In addition to email addresses. spammers are often contacted through URLs.
Fig.
6 depicts an exemplary URL 600 (e.g.. x.y.com/a/b/c) along with a plurality of features extracted therefrom in accordance with an aspect of the present invention. The can be embedded as text in the body of the message and/or as an image in the body of the message. For example. spam messages can include pointers to websites. thereby directing a recipient to the spammer's webpage or related site.
URLs can be deobfuscated in a similar manner with respect to 1P addresses.
Initially. any prefix (e.g.. service name) such as http://. hops://. fip://.
telnet://. for example. can he removed before deobfuscating the URL 600. In addition. if an symbol (e.g.. %40 in hex notation) appears amid the URL. anything between the prefix (e.g.. http://) and the "@"' symbol call be removed before normalizing the URL
400.
Incorporating text between the prefix and the "@" symbol can be another tactic or form of trickery by spammers to confuse the message recipient as to the true page location the recipient is being directed to.
For example. http:/hyww.amazon.com@121.122.123.124/info.htm appears to the message recipient as if this page is located at www.amazon.com. Thus, the recipient may be more inclined to trust the link and more importantly, the message sender.
On the contrary, the true page location is at "121.122.123.124" which may in fact correspond to a spam-related webpage. In some cases. however, legitimate senders may incorporate authentication information such as a login name and password in this portion of the URL
400 to facilitate an automatic login.
MS 303501.1 Once normalized and deobfuscated. the URL 600 can essentially he expressed as x.v.com/a/b/c. where x.v.com 630 is the name of the machine (FQDN) and a/b/c (e.g..
suffix(s)) is the location of a file on that machine. If x.y.com/a/b/c 600 identifies a spammer(s). then x.v.com/a/b 610 and x.v.com/a 620 most likely identify the same or a related spammer(s) as well. Thus_ the end portion or pathway of the URL 600 can be stripped off one part at a time. for example. to obtain additional features for a machine learning system or list. This makes it more difficult for spammers to create many different locations that all actually lead to them in such a way that a pattern is not noticed.
When the suffixes have been stripped off. the FQDN 630 can be further parsed to obtain additional features as previously discussed. supra. in Fig. 4.
Furthermore. the FQDN 630 can also be converted into an IP address as demonstrated in Fig. 3.
supra.
Accordingly. various features related to the IP address can also be used as features.
Some UR1_s are written with an lP address instead of an FQDN. (e.g.. dotted decimal format) such as nnn.nnn.nnn.nnn/a/b/c. The suffixes can be removed in successive order beginning with the "c" and at each stage. the resulting (partial) URL can he used as a feature (e. .. nnn.nnn.nnn.nnn/a/h: nnn.nnn.nnn.nnn/a: and nnn.nnn.nnn.nnn are all possible features to extract from the URL in dotted decimal format).
Following.
the IP address (e. g.. free of suffixes and prefixes) can be used as a feature. It can then be mapped to its netblock. If the netblock is not ascertainable. then multiple guesses can be made using each of the first 1. 2.... and up to a first 31 bits of the IP
address as separate features (see Fig. 3).
In addition to the dotted decimal format, the IP address can be expressed in dword (double word) formal (e.g., two binary words of 16 bits each in base 10). in octal format (e.g.. base 8). and hexadecimal format (e.g.. base 16). In practice, spammers can obfuscate an IP address. a URL, a MAILTO link. and/or a FQDN by, for example.
encoding the domain name portion using %nn notation (where nn is a pair of hex digits).
Some URLs can include redirectors which may be employed to confuse or trick the user. A redirector is a parameter or set of parameters following a "?" in the IP
address of the URL that instruct a browser to redirect itself to another web page. For example. the URL may appear as ",kyww.intend edpage.com?www.actualpage. com."
wherein the browser actually points to "w-,vw.actualpage.com" and loads that page MS303501. 1 instead of the anticipated "wv w.inicndedpage.coin" page. Hence. parameters contained within a URL can also be considered for extraction as features.
Various methodologies in accordance with the subject invention will now be described via a series of acts. It is to be understood and appreciated that the present invention is not limited by the order of acts. as some acts may. in accordance with the present invention. occur in different orders and/or concurrently with other acts from that shown and described herein. For example. those skilled in the art Will understand and appreciate that a methodology could alternatively be represented as a series of interrelated states or events. such as in a state diagram. Moreover. not all illustrated acts may he required to implement a methodology in accordance with the present invention.
Referring to Fig. 7. there is illustrated a flow diagram of an exemplary process 700 that facilitates training a filter in accordance with an aspect of the present invention.
The process 700 can begin with receiving a message (e.g.. at least one message) at 710.
The message(s) can be received by a server. for example. where an existing filter (e.g.. a spam filter) can classify that the message is likely spam or unlikely spam based at least in part upon a set of criteria previously learned by the filter. The message can be parsed to extract one or more features therefrom at 720. The extraction of features is described in further detail at 725 (in/i-a at Fig. 11). Examples of features include information (e.g..
sender's IP address) located in a received from field. reply-to field. cc field. mailto field.
MAIL FROM SMTP command. HELO field. URL address embedded in the text or as an image. and/or a non-toll free telephone number (e.g.. area code to map geographically region). as well as text in the body of the message.
The extracted (and/or normalized) features as well as the classification of the message (e.g.. spam or not spam) can be added to a training set of data at 730. At 740.
the above (e.g.. 710. 720, and 730) can be repeated for substantially all other incoming messages until they are processed accordingly. At 750, features that appear to be useful or the most useful features can be selected from the training set(s). Such selected features can be employed to train a filter, such as a machine learning filter. for example. by way of a machine learning algorithm at 760.
Once trained. a machine learning filter can be utilized to facilitate spam detection as described by an exemplary methodology 800 in Fig. 8. The methodology 800 begins MS30 3501.1 with receiving a message at 810. At 820. one or more features are extracted from the message as described infra with respect to Fig. 11. At 830. the extracted features are passed through a filter trained by a machine learning system. for instance.
Following. a verdict such as "spam'. "not spam". or a probability of the message being spam is obtained from the machine learning sstem. Once the verdict is obtained regarding the content of the message. appropriate action can be taken. Types of actions include. but are not limited to. deleting the message. moving the message to a special folder.
quarantining the message. and allowing recipient access to the message.
Alternatively. list-based activities can be performed with features extracted from messages. Referring to Fig. 9. there is illustrated a flow diagram of an exemplary process 900 for building and populating lists based at least in part upon extracted features and their occurrence in received messages classified as either spam or not spam (or likely or unlikely lobe spam). The process 900 begins by receiving a message at 910.
Following.
some feature of interest is extracted at 920 such as the message sender's IP
address. for example. At some time after the message is received. the message can be classified as spam or not spam. for example. by an existing filter. At 930. the feature can be incrementally counted according to the classification of the message (e.g..
sparn or not spam). This can be repeated at 940 until substantially all messages are processed (e.g., at 910. 920. and 930). Thereafter at 950. lists of features can be created. For example, one list can be created for sender IP addresses which are 90% good (e.g.. not spam 90% of the time or not spam in 90% of incoming messages). Likewise. another list can be created for sender IP addresses which are 90% bad (spam). Other lists for other features can be created in a similar manner.
It should be appreciated that these lists can be dynamic. That is. they can be updated as additional groups of new messages are processed. Hence. it is possible for a sender's IP address to initially be found on a good list; and then at some time later, be found on a bad list, as it is common for some spammers to initially send good mail (e.g..
to gain the "trust" of filters as well as recipients) and then begin to send substantially only spam.
These lists can be utilized in various ways. For instance, they can be used to generate training sets for use by a machine learning system to train filters.
Such is MS 303501.1 depicted by an exemplary process 1000 described next in Fig. 10. According to Fig. 10.
the process 1000 can begin by receiving a message at 1010. The message can be classified. for instance. as spam or not spam. At 1020. features including but not limited to the senders IP address can be extracted from the message. At 1030. the extracted features and the classification of the message are added to a training set which is subsequently used to train a machine learning system.
Following at 1040. a special feature corresponding to a particular list the sender 1P address is on is included in the training set. For example. if the sender IP address was on the "90% good' list. then the feature added to the training set would be "90% good list". At 1050. the preceding steps (e. g.. 1010. 1020. 103 0. and 1040) can be repeated to process substantially all incoming messages. Since some features can be more useful for filter training purposes than others. the most useful feature or features are selected based in part on user preferences at 1060 and employed to train a filter(s). such as a spam filter.
using a machine learning algorithm.
Moreover, dynamic lists of IP addresses. for example. can be constructed for comparison with test messages. new messages. and/or suspicious messages.
However.
the IP addresses themselves are not features in this instance. Instead, the quality of the IP
address is the feature. Alternatively or in addition. the lists can be utilized in other ways.
In practice. for instance. a list of suspicious IP addresses can be used to flag a sender as bad. and accordingly. treat their messages with suspicion.
Turning now to Fig. 1 l . there is illustrated a flow diagram of an exemplary method 1100 of extracting features from a message in conjunction with the processes 700, 800. 900. and 1000 described above in Figs. 7-10. respectively. The method 1100 can begin wherein a received-from IP address. or a portion thereof, is extracted and normalized at l 110. Also at l 110. the IP address can undergo bit-wise processing (e.g..
first l bit, first 2 bits.....up to first 31 bits - as discussed in Fig. 3) in order to extract additional features from the received-from IP address. Furthermore. the sender's alleged host name can also be extracted at l 110. The normalized received-from IP
address and sender host name features can now be used as features of a machine learning system or related training system.
MS30350 1.1 Optionally. at 1120. contents of the "From:- line can he extracted and/or normalized and subsequently employed as features. At 11-3 0_ contents of the "MAIL
FROM SM7 P" command can similarly he extracted and/or normalized for use as features.
The method 1100 can then proceed to look for other possible features that may he included in the message. For example. it may optionally extract and normalize (if necessary) contents in a reply-to field at 1140. At 1150. contents of the cc field can optionally be extracted and/or normalized for use as at least one feature. At 1160. non-toll free telephone numbers can optionally he extracted from the body of the message and assigned as features as well. Non-telephone numbers can be useful to identify Spammers because the area code and/or first three digits of the phone number can be used to map the location of the spammer. If more than one non-toll free telephone number exists in the message. each number can be extracted and used as separate features at 1160.
Likewise. one or more URLs and/or MAILTO links. or portions thereof. can optionally be extracted and/or normalized. respectively at 1 170 and 1180. In particular.
the URL can undergo pathway stripping (e. g.. file name portion of URL).
wherein one or more suffixes attached to the end of the FQDN portion of the URL can be stripped away.
This can result in one or more partial URLs. depending on the number of suffixes in the pathway. Each partial URL can he employed as a separate feature in accordance with the subject invention.
The method l 100 can continue to scan the body of the message to look for other email addresses as well as key words and/or phrases (e.g.. previously selected or determined) which may be more likely to be found in a spam message than in a legitimate message and vice versa. Each word or phrase can be extracted and used as a feature for either the machine learning systems or as an element of a list. or both.
As previously discussed, messages sent over the Internet can be sent from server to server with as few as two servers involved. The number of servers that have contact with the message increases as a result of the presence of firewalls and related network architectures. As the message is passed from server to server, each server prepends its IP
address to the received-from field. Each server also has the ability to modify the any earlier prepended received-from addresses. Spammers. unfortunately. can take advantage MS303501.1 of this ability and can enter fake addresses in the received-from fields to disguise their location and/or identity and to mislead the recipient as to the source of the message.
Fig. 12 illustrates a 1lo\~, diagram of an exemplary process 1200 for distinguishing between legitimate and fake (e.g.. spammer) prepended server IP addresses in the received-from line of an incoming message. The prepended received-from addresses can be examined in the order in which they were added (e.g., first one is the most recently added). Thus. a user can trace back through the chain of sending server IP
addresses to determine a last trusted server 1P address at 1210. At 1220. the last trusted server IP
address (the one directly outside the organization) can be extracted as a feature to be used by a machine learning system. Any other IP address after the last trusted one can be considered questionable or untrustworthy and may be ignored. but could be compared to lists of (mostly) good IP addresses and (mostly) bad IP addresses.
At 1230. the senders alleged FQDN can also be extracted to facilitate determining whether the sender is either legitimate or a spammer. More specifically. the alleged FQDN can be broken down by domain stripping to yield more than one partial FQDNs. For instance. imagine that the alleged FQDN is a.b.c.x.com. This alleged FQDN would be stripped in the following manner to yield: b_c.x.com -> c.x.com -->
x.com - com. Thus. each partial FQDN segment as well as the full FQDN can he employed as a separate feature to assist in determining fake and legitimate senders.
The present invention can also make use of parental control systems. Parental control systems can classify a message as unsuitable for viewing based at least in part upon some content of the message and provide a reason for the unsuitable classification.
For example, a URL may be embedded within a message as a clickable link (either text or image-based). or as text within the body of the message. The parental control system can compare the embedded URL(s) to one or more of its stored good and/or bad URL
lists to determine the proper classification of the message, or using other techniques for parental control classification. The classification can then be used as an additional feature either in the machine learning system or on a feature list, or both.
In Fig. 13. a flow diagram of an exemplary process 1300 for incorporating at least one aspect of a parental control system into the present invention is demonstrated. After receiving a set of messages at 1310. the message can be scanned for URLs, mailto links.
MS303501.1 or other text which resembles a mailto link. a URL. or some portion of a URL
at 1320. If the message does not appear to contain any of the above at 1330. then the process 1300 returns to 1310. However. if the message does indicate such. then at least a portion of the detected characters can be passed on to at least one parental control system at 1340.
At 1350. the parental control system can classify the mailto link. URL. or portion thereof by consulting one or more databases of URLs. mailto links. URL service names.
URL paths. and FQDNs (e.g.. such as the FQDN portions of URLs. email addresses.
etc.). For example. the message may be classified as containing at least one of pornographic. get-out-of-debt. gambling. and other similar material. Such classification can be extracted as an additional feature at 1360. Since the subject matter of a majority of spam messages includes such material. incorporating the parental control system can be useful in obtaining additional features with which the machine learning system can use to train and build improved filters. Other classifications exist as well including. but not limited to. hate speech. sex material. gun-violence. and drug-related material. wherein such classifications can be used as features as well. Spam messages may or may not involve subject matter related to these types of materials. but a user may still want to block these types of messages.
In practice. the different classifications can indicate different degrees of spaminess. For instance. messages classified as hate speech may signify substantially no degree of spaminess (e.g.. because it is most likely not spam). Conversely-messages classified as sexual content/material may reflect a relatively higher degree of spaminess (e.g., --90% certainty that message is spam). Machine learning systems can build filters that account for the degree of spaminess. Thus, a filter can be customized and personalized to satisfy user preferences.
As already discussed, a myriad of features can be extracted from a message and used as training data by a machine learning system or as elements on a list(s) identifying good and bad features. The qualities of features, in addition to the features themselves, can be useful in detecting and preventing spam. For instance, imagine that one feature is the sender's email address. The email address could be used as one feature and the frequency or count of that email address appearing in new incoming messages could be used as another feature.
MS303501 .1 Fig. 14 depicts a flow diagram of an exemplary process 1400 for extracting this type of feature (e. g.. related to the commonality or rarity of the extracted feature).
Spammers often Irv to change their location quickly. and as a result. are more likely than most users to send mail from a previously unseen address or to send mail with URLs pointing to a previously unknown machine. for example. Therefore. for each feature type (e.g.. received-from IP address. URL.. email address. domain name. etc.) that is extracted-assuming that it list of features for each type is being maintained. it particular features occurrence rate. frequency. or count can be tracked.
The process 1400 can begin with an extraction of one or more features from an incoming message and/or normalization of the feature(s) at 1410. The feature can then be compared to one or more lists of features which have been previously extracted or observed in a plurality of previous messages at 1420. The process 1400 can then determine if the present feature is common. The commonality of a feature can be determined by a calculated frequency of the feature appearing in recent and/or previous incoming messages. If the message is not common or not common enough (e.g..
fails to satisfy a commonality threshold) at 1430. then its rarity can be used as an additional feature at 1440. Otherwise. the features commonality can also be used as a feature as well at 1450.
In accordance with the present invention as described hereinabove_ the following pseudo-code can be employed to carry out at least one aspect of the invention.
Variable names are indicated in all uppercase. As an additional note. two functions.
add-machine-features and add-ip-features are defined at the end of the pseudo-code. Notation like "PREFIX-machine-MACHINE" is used to indicate the string composed of whatever is in the PREFIX variable concatenated with the word `'machine" concatenated with whatever is in the MACHINE variable. Finally. the function add-to-feature-list writes the feature to the list of features associated with the current message.
The exemplary pseudo-code is as follows:
fl' for a given message, extract all the features IPADDRESS the last external IP address in the received-from list;
MS303501.1 add-ipfeatures(received, IPADDRESS);
SENDERS-ALLEGED-FQDN FQDN in the last external IP
address in the received-from list;
add-machine-features(sendersfqdn, SENDERS-ALLEGED-FQDN);
for each email address type TYPE in (from, CC, to, reply-to, embedded-mailto-link, embedded-address, and SMTP MAIL
FROM) {
for each address ADDRESS of type TYPE in the message {
deobfuscate ADDRESS if necessary;
add-to-feature-list TYPE-ADDRESS;
if ADDRESS is of the form NAME@MACHINE then {
add-machine-features(TYPE, MACHINE);
}
else { # ADDRESS is of form NAME@IPADDRESS
add-ip-features(TYPE, IPADDRESS);
}
}
}
for each url type TYPE in (clickable-links, text-based-links, embedded-image-links) {
for each URL in the message of type TYPE
{
deobfuscate URL;
add-to-feature-list TYPE-URL;
set PARENTALCLASS := parental control system class of URL;
add-to-feature-list TYPE-class-PARENTCLASS;
while URL has a location suffix {
remove location suffix from URL, i.e. x.y/a/b/c -> x.y/a/b; x.y/a/b -> x.y/a; x.y/a;
}
# All suffixes have been removed; URL is now either machine name or IP address if URL is machine name {
add-machine-features(TYPE, URL);
}
else {
add-ip-features(TYPE, URL);
MS303501.1 }
}
}
function add-machine-features(PREFIX, MACHINE) {
add-ip-features(PREFIX-ip, nslookup(MACHINE));
while MACHINE not equal {
add-to-feature-list PREFIX-machine-MACHINE;
remove beginning from MACHINE # (i.e. a_x.com ->
x.com, or x.com -> com);
}
function add-ip-features(PREFIX, IPADDRESS) {
add-to-feature-list PREFIX-ipaddress-IPADDRESS;
find netblock NETBLOCK of IPADDRESS;
add-to-feature-list PREFIX-netblock-NETBLOCK;
for N = 1 to 31 {
MASKED = first N bits of IPADDRESS;
add-to-feature-list PREFIX-masked-N-MASKED;
}
In order to provide additional context for various aspects of the present invention.
Fig. 15 and the following discussion are intended to provide a brief. general description of a suitable operating environment 1510 in which various aspects of the present invention may be implemented. While the invention is described in the general context of computer-executable instructions, such as program modules. executed by one or more computers or other devices, those skilled in the art will recognize that the invention can also be implemented in combination with other program modules and/or as a combination of hardware and software.
Generally, however, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular data types. The operating environment 1510 is only one example of a suitable operating environment and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Other well known computer systems.
environments, and/or configurations that may be suitable for use with the invention include but are not MS303501.1 limited to. personal computers. hand-held or laptop devices, multiprocessor systems.
microprocessor-based systems. programmable consumer electronics. network PC's.
minicomputers. mainframe computers. distributed computing em ironments that include the above systems or devices, and the like.
With reference to Fig. 15. an exemplary environment 1510 for implementing various aspects of the invention includes a computer 1512. The computer 1512 includes a processing unit 1514. a system memory 1516. and a system bus 1518. The system bus 1518 couples the system components including. but not limited to. the system memory 1516 to the processing unit 1514. The processing unit 1514 can be any of various available processors. Dual microprocessors and other multiprocessor architectures also can he employed as the processing unit 1514.
The system bus 1518 can be any of several types of bus structure(s) including the memory bus or memory controller. a peripheral bus or external bus. and/or a local bus using any variety of available bus architectures including. but not limited to. 1 1-bit bus.
Industrial Standard Architecture (ISA). Micro-Channel Architecture (MSA).
Extended ISA (LISA). Intelligent Drive Electronics (IDE). VESA Local Bus (VLB).
Peripheral Component Interconnect (PC]). Universal Serial Bus (USB). Advanced Graphics Port (AGP). Personal Computer Memory Card International Association bus (PCMCIA).
and Small Computer Systems Interface (SCSI).
The system memory 1 516 includes volatile memory 1 520 and nonvolatile memory 1522. The basic input/output system (BIOS). containing the basic routines to transfer information between elements within the computer 1512. such as during start-up, is stored in nonvolatile memory 1522. By way of illustration, and not limitation, nonvolatile memory 1522 can include read only memory (ROM). programmable ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM
(EEPROM), or flash memory. Volatile memory 1520 includes random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as synchronous RAM (SRAM). dynamic RAM
(DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM).
enhanced SDRAM (ESDRAM). Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM).
MS 303501.1 Computer 1512 also includes removable/nonremovable. volatile/nonvolatile computer storage media. Fig. 15 illustrates. for example a disk storage 1524.
Disk storage 1524 includes. but is not limited to. devices like a magnetic disk drive. floppy disk drive. tape drive. Jaz drive. Zip drive. LS-100 drive. flash memory card.
or memory stick. In addition. disk storage 1524 can include storage media separately or in combination with other storage media including. but not limited to. an optical disk drive such as a compact disk ROM device (CD-ROM). CD recordable drive (CD-R Drive).
CD
rewritable drive (CD-RW Drive) or a digital versatile disk ROM drive (DVD-ROM). To facilitate connection of the disk storage devices 1524 to the system bus 1518.
a removable or non-removable interface is typically used such as interface 1526.
It is to be appreciated that Fig. 15 describes software that acts as an intermediary between users and the basic computer resources described in suitable operating environment 1510. Such software includes an operating system 1528. Operating system 1528. which can be stored on disk storage 1524. acts to control and allocate resources of the computer system 1512. System applications 1530 take advantage of the management of resources by operating system 1528 through program modules 1532 and program data 1534 stored either in system memory 1516 or on disk storage 1524. It is to be appreciated that the present invention can be implemented with various operating systems or combinations of operating systems.
A user enters commands or information into the computer 1512 through input device(s) 1536. Input devices 1536 include. but are not limited to. a pointing device such as a mouse. trackball, stylus. touch pad, keyboard, microphone, joystick, game pad, satellite dish, scanner, TV tuner card, digital camera, digital video camera, web camera, and the like. These and other input devices connect to the processing unit 1514 through the system bus 1518 via interface port(s) 1538. Interface port(s) 1538 include, for example, a serial port, a parallel port, a game port, and a universal serial bus (USB).
Output device(s) 1540 use some of the same type of ports as input device(s) 1536. Thus, for example, a USB port may be used to provide input to computer 1512, and to output information from computer 1512 to an output device 1540. Output adapter 1542 is provided to illustrate that there are some output devices 1540 like monitors, speakers, and printers among other output devices 1540 that require special adapters. The output MS303501.1 adapters 1542 include. by way of illustration and not limitation, video and sound cards that provide a means of connection between the output device 1540 and the system bus 1518. It should be noted that other devices and/or systems of devices provide both input and output capabilities such as remote computer(s) 1544.
Computer 1512 can operate in a networked environment using logical connections to one or more remote computers. such as remote computer(s) 1544. The remote computer(s) 1544 can be a personal computer. a server. a router. a network PC_ a workstation- a microprocessor based appliance. a peer device or other common network node and the like- and typically includes many or all of the elements described relative to computer 1512. For purposes of brevity- only a memory storage device 1546 is illustrated with remote computer(s) 1544. Remote computer(s) 1544 is logically connected to computer 1512 through a network interface 1548 and then physically connected via communication connection 1550. Network interface 1548 encompasses communication networks such as local-area networks (LAN) and wide-area networks (WAN). LAN technologies include Fiber Distributed Data Interface (FDDI).
Copper Distributed Data Interface (CDDI)_ Ethernet/IEEE 11023. Token Ring/IEEE 1 102.5 and the like. WAN technologies include. but are not limited to. point-to-point links. circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon. packet switching networks. and Digital Subscriber Lines (DSL).
Communication connection(s) 1550 refers to the hardware/software employed to connect the network interface 1548 to the bus 1518. While communication connection 1550 is shown for illustrative clarity inside computer 1512, it can also be external to computer 1512. The hardware/software necessary for connection to the network interface 1 548 includes, for exemplary purposes only. internal and external technologies such as.
modems including regular telephone grade modems. cable modems and DSL modems.
ISDN adapters, and Ethernet cards.
What has been described above includes examples of the present invention. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the present invention, but one of ordinary skill in the art may recognize that many further combinations and permutations of the present invention are possible. Accordingly. the present invention is intended to embrace all MS303501.1 such alterations. modifications and variations that fall within the spirit and scope of the appended claims. Furthermore. to the extent that the term "includes" is used in either the detailed description or the claims. such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim.
# Must be internal continue;
}
if DNS lookup of a.b.c yields i.j.k.1 and b.c is receiver domain {
# Must be internal continue;
ti MS303501.1 }
Output sender's alleged FQDN a.b.c and sender's actual IP address i.j.k.k }
If we reach here, then Error: unable to identify sender's alleged FQDN and sender's actual IP address Many things can be done with the senders IP address. as with other origination and destination features. First, they can be added to a list of uniformly bad senders.
sometimes known as a Black List. The Black Lists can be employed subsequently to filter. block. or redirect untrustworthy messages to an appropriate folder or location where they can be further investigated.
Other types of lists can also be generated and implemented as filters on both client- and server-based architectures. In the client architecture. a user can inform the client email software who he should be receiving mail from (e.g., mailing lists.
individuals. etc). A list of records corresponding to trusted email addresses can be generated either manually or automatically by the user. Accordingly. imagine that a sender having an email address 'b@zyx.com' sends the user an email message.
The senders email address b@zyx.com comprises a user name. 'b'. and an FQDN/IP
`zyx.com-. When the client receives the incoming message l 10 from the sender (b(&zvx.com), it can search a trusted sender list for the user's email address to determine if the user has indicated that 'b@zyx.com' is a valid and trusted address. For server architectures. the lists can be located directly on the server. Therefore. as messages arrive at the message server. their respective features (e.g.. sender's IP
address. domain name(s) in MAIL FROM or HELO fields, and other origination and/or destination information) can be compared to the lists located on the message server.
Messages that are determined to be from valid senders can be delivered to the intended recipients according to either client-based or server-based delivery protocols. However.
messages determined to include origination or destination features in lists of questionable or bad features can be moved to a Spam or junk mail folder for discard, or otherwise specially treated.
MS 303501.1 As an alternative to populating lists of trusted or had origination features.
the sender's origination features (e.g.. 113 address. alleged From address) can be extracted as one or more features and later used in connection with machine learning techniques for filter building and/or training.
The IP address can be derived from an email address (e. g., IP lookup on the FQDN in the sender's address or reply-to address) in any part of a message header or from an lP address lookup of the domain name portion of a URL link embedded in a body of the message. or directly from an 11' address if it occurs as the FQDN/1P portion of a URL. Furthermore. as will be described later. the IP address has several attributes.
each of which can be utilized as a feature of a machine learning system or as an element on a user-populated list. Thus. in a second approach. the feature extraction component 130 can exploit the many subparts of the IP address(s) to generate additional features.
Any combination of features as described above can be extracted from each incoming message l 10. Messages can be randomly. automatically. and/or manually selected to participate in feature extraction. although typically all messages can be used.
The extracted sets of features are subsequently applied to a filter training component 140 such as machine learning systems or any other system.thatbuilds and/or trains filters 150 such as spam filters.
Referring now to Fig. 2. there is illustrated a feature extraction system 200 that facilitates deobfuscating or normalizing one or more features of an incoming message 210 in accordance with one aspect of the present invention. Ultimately. a filter(s) can be built based at least in part upon one or more of the normalized features. The system 200 comprises a feature extractor component 220 that receives an incoming message either directly as shown or indirectly by way of a message receiver (Fig. 1).
for example.
Incoming messages selected for or participating in feature extraction can be subjected to the system 200, according to user preferences. Alternatively, substantially all incoming messages can be available for and participate in the feature extraction.
Feature extraction involves pulling out one or more features 230 (also referred to as FEATURE, 232. FEATURE2 234, and FEATUREõ 236, where M is an integer greater than or equal to one) associated with origination and/or destination information from the message 210. Origination information can relate to elements indicating the sender of the MS303501 .1 message as well as server domain names and related identification information that specifies from where the message came. Destination information can relate to elements of a message indicating to whom or where the recipient can send his response to the message. Origination and destination information can be found in a header of the message as well as in the body of the message either visible or invisible (e.g.. embedded as text or in image) to the message recipient.
Because spammers tend to disguise and/or obfuscate their identity frequently to avoid detection by conventional spam filters. the system 200 comprises a feature normalizer component 240 that facilitates deobfuscating the one or more extracted features 230. or at least portions thereof. The feature norrrializer component 240 can process and/or breakdown the extracted features 230 such as by analyzing the extracted features 230 (e.g.. the FQDN -- consulting a directory of blocks and MX
records and/or translating the FQDN according to its current format) and then comparing them to a database(s) of existing spammer lists. non-spammer lists. and/or parental control lists. for example. In some cases as discussed infru in Fig. 4. such as when the extracted feature is a URL prefixes and/or suffixes may also be removed to facilitate normalizing the feature and identifying whether the URL points to a spammer's website or to a legitimate source.
Once the features are normalized. at least a subset of them 250 can then be employed by a training system 260 such as a machine learning system. to build and/or update a filter(s) 270. The filler(s) can be trained for use as a spam filter and/or a junk-mail filter. for example. Furthermore. the filler(s) can be built and/or trained with positive features such as those which indicate a non-spam source (e.g..
sender's From email address, sender's IP address, embedded telephone numbers. and/or URL) and/or a non-spam sender as well as with negative features such as those that identify and are associated with a spammer.
Alternatively or in addition, the set of features can be utilized to populate a new or add to an existing spam feature list 280. Other lists can also be generated to correspond to the particular extracted features such as a list of good addresses. a list of bad addresses.
a list of good URLs, a list of bad URLs. a list of good telephone numbers, and a list of bad telephone numbers. Good feature lists can identify non-spammers.
historically legitimate senders, and/or senders having a higher likelihood of non-spamminess (e.g..
MS303501.1 -90% chance not seam source). Conversely. bad feature lists can correspond to spammers. potential spammers. and/or senders having a relatively higher likelihood of spamminess (e.g_. -90% spam source).
Referring now to Figs. 3-6. there are illustrated exemplary features which can be derived and extracted from an IP address, a FQDN. an email address and a URL.
respectively. to facilitate spam detection and prevention in accordance with several aspects of the present invention.
Fig. 3 depicts an exemplary breakdown of an IP address 300 in accordance with an aspect of the present invention. An IP address 300 is 32 bits long and allocated into blocks (e.g.. netblocks) when expressed in dotted decimal format (e.g.. 4 blocks of up to 3 digits each. wherein each block is separated by periods and wherein each block of 3 digits is any number divisible between 0 and 255). The blocks are assigned to classes such as Class A. Class B. and Class C. Each block comprises a set number of IP
addresses wherein the number of IP addresses per block varies according to the class.
That is. depending on the class (i.e.. A. B, or Q. there can be more or less addresses assigned per block. The block size is usually a power of 2 and a set of IP
addresses in the same block will share the first k binary digits and differ in the last 32-k (e.g.. 32 minus k) binary digits. Thus. each block can be identified (block ID 302) according to its shared first k bits. In order to determine the block ID 302 associated with the particular IP
address 300. a user can consult a directory of blocks such as arin.net.
Moreover, the block ID 302 can be extracted and employed as a feature.
In some circumstances, however. the block ID 302 cannot be readily determined even by referencing arin.net because groups of IP addresses within a block can be sold up divided and re-sold any number of times. In such instances, a user or extraction system can make one or more guesses at the block IDs 302 for the respective IP
addresses. For example. the user can extract at least a first I bit 304. at least a first 2 bits 306, at least a first 3 bits 308, at least a first M bits 310 (i.e., M is an integer greater or equal to one) and/or up to at least a first 31 bits 312 as separate features for subsequent use by a machine learning system and/or as elements on a feature list(s) (e.g., good feature lists.
spam feature lists, etc.).
MS303501.1 In practice. for instance. the first I bit of an IP address can be extracted and employed as a feature to determine whether the lP address points to a spammer or non-spammer. The first I bit from other IP addresses extracted from other messages can be compared to facilitate determining at least one block ID. Identifying at least one block ID can then assist discerning whether the message is from a spammer. Moreover.
lP
addresses which share the first M bits can be compared with respect to their other extracted features to ascertain whether the IP addresses are from legitimate senders and/or whether the respective messages are spain.
IP addresses can also be arranged hierarchically (314). That is. a set of high order bits may be allocated to a particular country. That country can allocate a subset to an ISP
(Internet Service Provider). and that ISP may then allocate a subset to a particular company. Accordingly. various levels can be meaningful for the same IP
address. For example. the fact that an IP address comes from a block allocated for Korea could be useful in determining whether the IP address is associated with a spammer. If the 11"
address is part of a block allocated to an ISP with a strict policy against spammers. this also could be useful in determining that the IP address is not associated with a spammer.
Hence. by employing each of the first 1-31 bits of an IP address in combination with the hierarchal arrangement 314 of at least a subset of IP addresses. a user can automatically learn information at different levels without actually knowing the manner in which an IP
address was allocated (e.g.. without knowing the block IDs).
In addition to the features discussed above. a feature's rarity 316 (e.g..
occurrence of feature is not common enough) can be determined by performing suitable calculations and/or employing statistical data comparing the frequency or count in which the feature appears in a sampling of incoming messages, for instance. In practice, an uncommon IP
address 300 may be an example of a dial-up line being used to deliver email, which is a tactic often used by spammers. Spammers tend to modify their identity and/or location frequently. Thus. the fact that a feature is common or uncommon may be useful information. Hence, a feature's rarity 316 can be used as a feature of the machine learning system and/or as a part of at least one list (e.g.. rare feature list).
Fig. 4 demonstrates an exemplary feature breakdown of a FQDN 400, such as for example. b.x.com. The FQDN 400 can be extracted from a HELO field, for instance, MS303501.1 (e.g.. senders alleged FQDN) and typically comprises a host name 402 and a domain name 404. The host name 402 refers to a particular computer. which is "b"
according to the example. The domain name 404 refers to the name of at least one machine or a group of machines on the internet. In the instant example. "x.com" represents the domain name 404. A hierarchal breakdown of the FQDN 400 is represented by 406. In particular.
B.X.COM 408 (full FQDN 400) can be partially stripped down to X.COM 410 (partial FQDN). which then can be stripped down to COM 412 (partial FQDN). whereby each partial FQDN can be employed as a feature.
Some features. such as received-from information. exist primarily as IP
addresses.
Thus. it may be useful to convert the FQDN 400 to an IP address 300 that can be broken down into additional features (as shown in Fig. 3) because it is relatively easy to create new host names and domain names. but relatively difficult to obtain new IP
addresses.
Unfortunately. owners of a domain can make apparently different machines all map to the same place. For instance. the owner of a machine named "a.x.com'`
could be the same as the owner of "b.x.com" which could be the same owner of "x.com".
Thus.
the spammer could easily mislead a conventional filter to believe that the message is from the FQDN 400 "b.x.com" instead of from the domain 404 "x.com"'. thereby allowing the message to pass by the spam filter when in actuality. the domain 404 "x.com"
would have indicated that the message was spam or was more likely to be spam. Hence.
it can be useful to strip the address down to simply the domain name 404 when extracting the origination and/or destination information of the message. Alternatively or in addition.
the full FQDN 400 can be extracted as a feature.
In some cases. additional resources are available, such as parental control systems. These resources can often assign a "type" or qualitative assessment.
such as pornographic or violent. to host names and/or to URLs. The extracted features can be further classified by type, using such a resource. The feature type 414 of the feature can then be used as an additional feature in connection with building and/or training improved spam related filters. Alternatively, lists can be generated corresponding to different feature types which have previously been identified. The features types 414 can include, but are not limited to, sex or pornographic related features, racial and/or hate-MS 303501.1 speech related features. physical enhancement features. income or financial solutions features. home-buying features. etc. which identify general subject matter of messages.
Finally. the rarity of a feature 316 or of a feature type (see Fig. 3. supra) can be another feature as discussed above in Fig. 3. For example. a feature extracted from a message such as the host name "B" 402 from the FQDN 400 " b.x_com" may be a common example of the feature type: pornographic material. Therefore. when this feature is extracted from the message and then found on a pornographic material feature list. it can be concluded that the message is more likely to be spam. or is unsuitable/inappropriate for all ages. or constitutes adult content (e.g..
adult rating). and the like. Thus. each list can comprise the more common features of that particular type.
Alternatively. the corresponding IP address may be commonly found in spam messages in general and thus designated as a common feature of spam. Moreover. a feature's commonality and/or rarity can be employed as a separate feature for machine learning or other rule-based systems.
Fig. 5 demonstrates an exemplary feature breakdown of an email address 500:
a c b.x.com. which includes a FQDN 400 as well as a few additional features.
such as a user name 502. The email address 500 can be extracted from the From field. the cc (carbon copy) field. and the reply-to field of a message. as well as from any of the mailto:
links in the body of the message (e.g_. mai)to: links are a special kind of link that when clicked. generates mail to a particular address). and. if available, from the MAIL FROM
command used in the SMTP protocol. Email addresses 500 can also be embedded as text in the body of the message. In some cases. the message content may direct a recipient to use the `reply all' function when responding to the message. In such cases.
the addresses in the cc field and/or at least a portion of those included in the `to' field (if more than one recipient is listed) would also be replied to. Thus, each of these addresses could be extracted as one or more features to facilitate spammer identification and prevention.
The email address 500 `a@b.x.com' can be broken down to various elements or subparts and those elements can be extracted and employed as features as well.
In particular, the email address comprises a user name 502 and an FQDN 504 (e.g..
see FQDN 400 in Fig. 4) which can be broken down even further into additional features.
MS 303501.1 For several practical reasons. such as ease of use. recognition. and recollection. email addresses are usually notated using FQDNs rather than IP addresses.
In the current example. 'a!ab.x.com' comprises the user name 502 "a". Thus.
"a""
can be extracted as one feature. Likewise. the FQDN 504 '-b.x.com" can be extracted from the email address as at least one other feature. The FQDN 504 portion of the email address 500 can be passed through a parental control filter in order to facilitate determining the feature type 414. which is described in greater detail. supra.
in Fig. 4.
Hence. the feature type as it relates to the FQDN portion of the email address 500 can be used as an additional feature.
In addition to email addresses. spammers are often contacted through URLs.
Fig.
6 depicts an exemplary URL 600 (e.g.. x.y.com/a/b/c) along with a plurality of features extracted therefrom in accordance with an aspect of the present invention. The can be embedded as text in the body of the message and/or as an image in the body of the message. For example. spam messages can include pointers to websites. thereby directing a recipient to the spammer's webpage or related site.
URLs can be deobfuscated in a similar manner with respect to 1P addresses.
Initially. any prefix (e.g.. service name) such as http://. hops://. fip://.
telnet://. for example. can he removed before deobfuscating the URL 600. In addition. if an symbol (e.g.. %40 in hex notation) appears amid the URL. anything between the prefix (e.g.. http://) and the "@"' symbol call be removed before normalizing the URL
400.
Incorporating text between the prefix and the "@" symbol can be another tactic or form of trickery by spammers to confuse the message recipient as to the true page location the recipient is being directed to.
For example. http:/hyww.amazon.com@121.122.123.124/info.htm appears to the message recipient as if this page is located at www.amazon.com. Thus, the recipient may be more inclined to trust the link and more importantly, the message sender.
On the contrary, the true page location is at "121.122.123.124" which may in fact correspond to a spam-related webpage. In some cases. however, legitimate senders may incorporate authentication information such as a login name and password in this portion of the URL
400 to facilitate an automatic login.
MS 303501.1 Once normalized and deobfuscated. the URL 600 can essentially he expressed as x.v.com/a/b/c. where x.v.com 630 is the name of the machine (FQDN) and a/b/c (e.g..
suffix(s)) is the location of a file on that machine. If x.y.com/a/b/c 600 identifies a spammer(s). then x.v.com/a/b 610 and x.v.com/a 620 most likely identify the same or a related spammer(s) as well. Thus_ the end portion or pathway of the URL 600 can be stripped off one part at a time. for example. to obtain additional features for a machine learning system or list. This makes it more difficult for spammers to create many different locations that all actually lead to them in such a way that a pattern is not noticed.
When the suffixes have been stripped off. the FQDN 630 can be further parsed to obtain additional features as previously discussed. supra. in Fig. 4.
Furthermore. the FQDN 630 can also be converted into an IP address as demonstrated in Fig. 3.
supra.
Accordingly. various features related to the IP address can also be used as features.
Some UR1_s are written with an lP address instead of an FQDN. (e.g.. dotted decimal format) such as nnn.nnn.nnn.nnn/a/b/c. The suffixes can be removed in successive order beginning with the "c" and at each stage. the resulting (partial) URL can he used as a feature (e. .. nnn.nnn.nnn.nnn/a/h: nnn.nnn.nnn.nnn/a: and nnn.nnn.nnn.nnn are all possible features to extract from the URL in dotted decimal format).
Following.
the IP address (e. g.. free of suffixes and prefixes) can be used as a feature. It can then be mapped to its netblock. If the netblock is not ascertainable. then multiple guesses can be made using each of the first 1. 2.... and up to a first 31 bits of the IP
address as separate features (see Fig. 3).
In addition to the dotted decimal format, the IP address can be expressed in dword (double word) formal (e.g., two binary words of 16 bits each in base 10). in octal format (e.g.. base 8). and hexadecimal format (e.g.. base 16). In practice, spammers can obfuscate an IP address. a URL, a MAILTO link. and/or a FQDN by, for example.
encoding the domain name portion using %nn notation (where nn is a pair of hex digits).
Some URLs can include redirectors which may be employed to confuse or trick the user. A redirector is a parameter or set of parameters following a "?" in the IP
address of the URL that instruct a browser to redirect itself to another web page. For example. the URL may appear as ",kyww.intend edpage.com?www.actualpage. com."
wherein the browser actually points to "w-,vw.actualpage.com" and loads that page MS303501. 1 instead of the anticipated "wv w.inicndedpage.coin" page. Hence. parameters contained within a URL can also be considered for extraction as features.
Various methodologies in accordance with the subject invention will now be described via a series of acts. It is to be understood and appreciated that the present invention is not limited by the order of acts. as some acts may. in accordance with the present invention. occur in different orders and/or concurrently with other acts from that shown and described herein. For example. those skilled in the art Will understand and appreciate that a methodology could alternatively be represented as a series of interrelated states or events. such as in a state diagram. Moreover. not all illustrated acts may he required to implement a methodology in accordance with the present invention.
Referring to Fig. 7. there is illustrated a flow diagram of an exemplary process 700 that facilitates training a filter in accordance with an aspect of the present invention.
The process 700 can begin with receiving a message (e.g.. at least one message) at 710.
The message(s) can be received by a server. for example. where an existing filter (e.g.. a spam filter) can classify that the message is likely spam or unlikely spam based at least in part upon a set of criteria previously learned by the filter. The message can be parsed to extract one or more features therefrom at 720. The extraction of features is described in further detail at 725 (in/i-a at Fig. 11). Examples of features include information (e.g..
sender's IP address) located in a received from field. reply-to field. cc field. mailto field.
MAIL FROM SMTP command. HELO field. URL address embedded in the text or as an image. and/or a non-toll free telephone number (e.g.. area code to map geographically region). as well as text in the body of the message.
The extracted (and/or normalized) features as well as the classification of the message (e.g.. spam or not spam) can be added to a training set of data at 730. At 740.
the above (e.g.. 710. 720, and 730) can be repeated for substantially all other incoming messages until they are processed accordingly. At 750, features that appear to be useful or the most useful features can be selected from the training set(s). Such selected features can be employed to train a filter, such as a machine learning filter. for example. by way of a machine learning algorithm at 760.
Once trained. a machine learning filter can be utilized to facilitate spam detection as described by an exemplary methodology 800 in Fig. 8. The methodology 800 begins MS30 3501.1 with receiving a message at 810. At 820. one or more features are extracted from the message as described infra with respect to Fig. 11. At 830. the extracted features are passed through a filter trained by a machine learning system. for instance.
Following. a verdict such as "spam'. "not spam". or a probability of the message being spam is obtained from the machine learning sstem. Once the verdict is obtained regarding the content of the message. appropriate action can be taken. Types of actions include. but are not limited to. deleting the message. moving the message to a special folder.
quarantining the message. and allowing recipient access to the message.
Alternatively. list-based activities can be performed with features extracted from messages. Referring to Fig. 9. there is illustrated a flow diagram of an exemplary process 900 for building and populating lists based at least in part upon extracted features and their occurrence in received messages classified as either spam or not spam (or likely or unlikely lobe spam). The process 900 begins by receiving a message at 910.
Following.
some feature of interest is extracted at 920 such as the message sender's IP
address. for example. At some time after the message is received. the message can be classified as spam or not spam. for example. by an existing filter. At 930. the feature can be incrementally counted according to the classification of the message (e.g..
sparn or not spam). This can be repeated at 940 until substantially all messages are processed (e.g., at 910. 920. and 930). Thereafter at 950. lists of features can be created. For example, one list can be created for sender IP addresses which are 90% good (e.g.. not spam 90% of the time or not spam in 90% of incoming messages). Likewise. another list can be created for sender IP addresses which are 90% bad (spam). Other lists for other features can be created in a similar manner.
It should be appreciated that these lists can be dynamic. That is. they can be updated as additional groups of new messages are processed. Hence. it is possible for a sender's IP address to initially be found on a good list; and then at some time later, be found on a bad list, as it is common for some spammers to initially send good mail (e.g..
to gain the "trust" of filters as well as recipients) and then begin to send substantially only spam.
These lists can be utilized in various ways. For instance, they can be used to generate training sets for use by a machine learning system to train filters.
Such is MS 303501.1 depicted by an exemplary process 1000 described next in Fig. 10. According to Fig. 10.
the process 1000 can begin by receiving a message at 1010. The message can be classified. for instance. as spam or not spam. At 1020. features including but not limited to the senders IP address can be extracted from the message. At 1030. the extracted features and the classification of the message are added to a training set which is subsequently used to train a machine learning system.
Following at 1040. a special feature corresponding to a particular list the sender 1P address is on is included in the training set. For example. if the sender IP address was on the "90% good' list. then the feature added to the training set would be "90% good list". At 1050. the preceding steps (e. g.. 1010. 1020. 103 0. and 1040) can be repeated to process substantially all incoming messages. Since some features can be more useful for filter training purposes than others. the most useful feature or features are selected based in part on user preferences at 1060 and employed to train a filter(s). such as a spam filter.
using a machine learning algorithm.
Moreover, dynamic lists of IP addresses. for example. can be constructed for comparison with test messages. new messages. and/or suspicious messages.
However.
the IP addresses themselves are not features in this instance. Instead, the quality of the IP
address is the feature. Alternatively or in addition. the lists can be utilized in other ways.
In practice. for instance. a list of suspicious IP addresses can be used to flag a sender as bad. and accordingly. treat their messages with suspicion.
Turning now to Fig. 1 l . there is illustrated a flow diagram of an exemplary method 1100 of extracting features from a message in conjunction with the processes 700, 800. 900. and 1000 described above in Figs. 7-10. respectively. The method 1100 can begin wherein a received-from IP address. or a portion thereof, is extracted and normalized at l 110. Also at l 110. the IP address can undergo bit-wise processing (e.g..
first l bit, first 2 bits.....up to first 31 bits - as discussed in Fig. 3) in order to extract additional features from the received-from IP address. Furthermore. the sender's alleged host name can also be extracted at l 110. The normalized received-from IP
address and sender host name features can now be used as features of a machine learning system or related training system.
MS30350 1.1 Optionally. at 1120. contents of the "From:- line can he extracted and/or normalized and subsequently employed as features. At 11-3 0_ contents of the "MAIL
FROM SM7 P" command can similarly he extracted and/or normalized for use as features.
The method 1100 can then proceed to look for other possible features that may he included in the message. For example. it may optionally extract and normalize (if necessary) contents in a reply-to field at 1140. At 1150. contents of the cc field can optionally be extracted and/or normalized for use as at least one feature. At 1160. non-toll free telephone numbers can optionally he extracted from the body of the message and assigned as features as well. Non-telephone numbers can be useful to identify Spammers because the area code and/or first three digits of the phone number can be used to map the location of the spammer. If more than one non-toll free telephone number exists in the message. each number can be extracted and used as separate features at 1160.
Likewise. one or more URLs and/or MAILTO links. or portions thereof. can optionally be extracted and/or normalized. respectively at 1 170 and 1180. In particular.
the URL can undergo pathway stripping (e. g.. file name portion of URL).
wherein one or more suffixes attached to the end of the FQDN portion of the URL can be stripped away.
This can result in one or more partial URLs. depending on the number of suffixes in the pathway. Each partial URL can he employed as a separate feature in accordance with the subject invention.
The method l 100 can continue to scan the body of the message to look for other email addresses as well as key words and/or phrases (e.g.. previously selected or determined) which may be more likely to be found in a spam message than in a legitimate message and vice versa. Each word or phrase can be extracted and used as a feature for either the machine learning systems or as an element of a list. or both.
As previously discussed, messages sent over the Internet can be sent from server to server with as few as two servers involved. The number of servers that have contact with the message increases as a result of the presence of firewalls and related network architectures. As the message is passed from server to server, each server prepends its IP
address to the received-from field. Each server also has the ability to modify the any earlier prepended received-from addresses. Spammers. unfortunately. can take advantage MS303501.1 of this ability and can enter fake addresses in the received-from fields to disguise their location and/or identity and to mislead the recipient as to the source of the message.
Fig. 12 illustrates a 1lo\~, diagram of an exemplary process 1200 for distinguishing between legitimate and fake (e.g.. spammer) prepended server IP addresses in the received-from line of an incoming message. The prepended received-from addresses can be examined in the order in which they were added (e.g., first one is the most recently added). Thus. a user can trace back through the chain of sending server IP
addresses to determine a last trusted server 1P address at 1210. At 1220. the last trusted server IP
address (the one directly outside the organization) can be extracted as a feature to be used by a machine learning system. Any other IP address after the last trusted one can be considered questionable or untrustworthy and may be ignored. but could be compared to lists of (mostly) good IP addresses and (mostly) bad IP addresses.
At 1230. the senders alleged FQDN can also be extracted to facilitate determining whether the sender is either legitimate or a spammer. More specifically. the alleged FQDN can be broken down by domain stripping to yield more than one partial FQDNs. For instance. imagine that the alleged FQDN is a.b.c.x.com. This alleged FQDN would be stripped in the following manner to yield: b_c.x.com -> c.x.com -->
x.com - com. Thus. each partial FQDN segment as well as the full FQDN can he employed as a separate feature to assist in determining fake and legitimate senders.
The present invention can also make use of parental control systems. Parental control systems can classify a message as unsuitable for viewing based at least in part upon some content of the message and provide a reason for the unsuitable classification.
For example, a URL may be embedded within a message as a clickable link (either text or image-based). or as text within the body of the message. The parental control system can compare the embedded URL(s) to one or more of its stored good and/or bad URL
lists to determine the proper classification of the message, or using other techniques for parental control classification. The classification can then be used as an additional feature either in the machine learning system or on a feature list, or both.
In Fig. 13. a flow diagram of an exemplary process 1300 for incorporating at least one aspect of a parental control system into the present invention is demonstrated. After receiving a set of messages at 1310. the message can be scanned for URLs, mailto links.
MS303501.1 or other text which resembles a mailto link. a URL. or some portion of a URL
at 1320. If the message does not appear to contain any of the above at 1330. then the process 1300 returns to 1310. However. if the message does indicate such. then at least a portion of the detected characters can be passed on to at least one parental control system at 1340.
At 1350. the parental control system can classify the mailto link. URL. or portion thereof by consulting one or more databases of URLs. mailto links. URL service names.
URL paths. and FQDNs (e.g.. such as the FQDN portions of URLs. email addresses.
etc.). For example. the message may be classified as containing at least one of pornographic. get-out-of-debt. gambling. and other similar material. Such classification can be extracted as an additional feature at 1360. Since the subject matter of a majority of spam messages includes such material. incorporating the parental control system can be useful in obtaining additional features with which the machine learning system can use to train and build improved filters. Other classifications exist as well including. but not limited to. hate speech. sex material. gun-violence. and drug-related material. wherein such classifications can be used as features as well. Spam messages may or may not involve subject matter related to these types of materials. but a user may still want to block these types of messages.
In practice. the different classifications can indicate different degrees of spaminess. For instance. messages classified as hate speech may signify substantially no degree of spaminess (e.g.. because it is most likely not spam). Conversely-messages classified as sexual content/material may reflect a relatively higher degree of spaminess (e.g., --90% certainty that message is spam). Machine learning systems can build filters that account for the degree of spaminess. Thus, a filter can be customized and personalized to satisfy user preferences.
As already discussed, a myriad of features can be extracted from a message and used as training data by a machine learning system or as elements on a list(s) identifying good and bad features. The qualities of features, in addition to the features themselves, can be useful in detecting and preventing spam. For instance, imagine that one feature is the sender's email address. The email address could be used as one feature and the frequency or count of that email address appearing in new incoming messages could be used as another feature.
MS303501 .1 Fig. 14 depicts a flow diagram of an exemplary process 1400 for extracting this type of feature (e. g.. related to the commonality or rarity of the extracted feature).
Spammers often Irv to change their location quickly. and as a result. are more likely than most users to send mail from a previously unseen address or to send mail with URLs pointing to a previously unknown machine. for example. Therefore. for each feature type (e.g.. received-from IP address. URL.. email address. domain name. etc.) that is extracted-assuming that it list of features for each type is being maintained. it particular features occurrence rate. frequency. or count can be tracked.
The process 1400 can begin with an extraction of one or more features from an incoming message and/or normalization of the feature(s) at 1410. The feature can then be compared to one or more lists of features which have been previously extracted or observed in a plurality of previous messages at 1420. The process 1400 can then determine if the present feature is common. The commonality of a feature can be determined by a calculated frequency of the feature appearing in recent and/or previous incoming messages. If the message is not common or not common enough (e.g..
fails to satisfy a commonality threshold) at 1430. then its rarity can be used as an additional feature at 1440. Otherwise. the features commonality can also be used as a feature as well at 1450.
In accordance with the present invention as described hereinabove_ the following pseudo-code can be employed to carry out at least one aspect of the invention.
Variable names are indicated in all uppercase. As an additional note. two functions.
add-machine-features and add-ip-features are defined at the end of the pseudo-code. Notation like "PREFIX-machine-MACHINE" is used to indicate the string composed of whatever is in the PREFIX variable concatenated with the word `'machine" concatenated with whatever is in the MACHINE variable. Finally. the function add-to-feature-list writes the feature to the list of features associated with the current message.
The exemplary pseudo-code is as follows:
fl' for a given message, extract all the features IPADDRESS the last external IP address in the received-from list;
MS303501.1 add-ipfeatures(received, IPADDRESS);
SENDERS-ALLEGED-FQDN FQDN in the last external IP
address in the received-from list;
add-machine-features(sendersfqdn, SENDERS-ALLEGED-FQDN);
for each email address type TYPE in (from, CC, to, reply-to, embedded-mailto-link, embedded-address, and SMTP MAIL
FROM) {
for each address ADDRESS of type TYPE in the message {
deobfuscate ADDRESS if necessary;
add-to-feature-list TYPE-ADDRESS;
if ADDRESS is of the form NAME@MACHINE then {
add-machine-features(TYPE, MACHINE);
}
else { # ADDRESS is of form NAME@IPADDRESS
add-ip-features(TYPE, IPADDRESS);
}
}
}
for each url type TYPE in (clickable-links, text-based-links, embedded-image-links) {
for each URL in the message of type TYPE
{
deobfuscate URL;
add-to-feature-list TYPE-URL;
set PARENTALCLASS := parental control system class of URL;
add-to-feature-list TYPE-class-PARENTCLASS;
while URL has a location suffix {
remove location suffix from URL, i.e. x.y/a/b/c -> x.y/a/b; x.y/a/b -> x.y/a; x.y/a;
}
# All suffixes have been removed; URL is now either machine name or IP address if URL is machine name {
add-machine-features(TYPE, URL);
}
else {
add-ip-features(TYPE, URL);
MS303501.1 }
}
}
function add-machine-features(PREFIX, MACHINE) {
add-ip-features(PREFIX-ip, nslookup(MACHINE));
while MACHINE not equal {
add-to-feature-list PREFIX-machine-MACHINE;
remove beginning from MACHINE # (i.e. a_x.com ->
x.com, or x.com -> com);
}
function add-ip-features(PREFIX, IPADDRESS) {
add-to-feature-list PREFIX-ipaddress-IPADDRESS;
find netblock NETBLOCK of IPADDRESS;
add-to-feature-list PREFIX-netblock-NETBLOCK;
for N = 1 to 31 {
MASKED = first N bits of IPADDRESS;
add-to-feature-list PREFIX-masked-N-MASKED;
}
In order to provide additional context for various aspects of the present invention.
Fig. 15 and the following discussion are intended to provide a brief. general description of a suitable operating environment 1510 in which various aspects of the present invention may be implemented. While the invention is described in the general context of computer-executable instructions, such as program modules. executed by one or more computers or other devices, those skilled in the art will recognize that the invention can also be implemented in combination with other program modules and/or as a combination of hardware and software.
Generally, however, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular data types. The operating environment 1510 is only one example of a suitable operating environment and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Other well known computer systems.
environments, and/or configurations that may be suitable for use with the invention include but are not MS303501.1 limited to. personal computers. hand-held or laptop devices, multiprocessor systems.
microprocessor-based systems. programmable consumer electronics. network PC's.
minicomputers. mainframe computers. distributed computing em ironments that include the above systems or devices, and the like.
With reference to Fig. 15. an exemplary environment 1510 for implementing various aspects of the invention includes a computer 1512. The computer 1512 includes a processing unit 1514. a system memory 1516. and a system bus 1518. The system bus 1518 couples the system components including. but not limited to. the system memory 1516 to the processing unit 1514. The processing unit 1514 can be any of various available processors. Dual microprocessors and other multiprocessor architectures also can he employed as the processing unit 1514.
The system bus 1518 can be any of several types of bus structure(s) including the memory bus or memory controller. a peripheral bus or external bus. and/or a local bus using any variety of available bus architectures including. but not limited to. 1 1-bit bus.
Industrial Standard Architecture (ISA). Micro-Channel Architecture (MSA).
Extended ISA (LISA). Intelligent Drive Electronics (IDE). VESA Local Bus (VLB).
Peripheral Component Interconnect (PC]). Universal Serial Bus (USB). Advanced Graphics Port (AGP). Personal Computer Memory Card International Association bus (PCMCIA).
and Small Computer Systems Interface (SCSI).
The system memory 1 516 includes volatile memory 1 520 and nonvolatile memory 1522. The basic input/output system (BIOS). containing the basic routines to transfer information between elements within the computer 1512. such as during start-up, is stored in nonvolatile memory 1522. By way of illustration, and not limitation, nonvolatile memory 1522 can include read only memory (ROM). programmable ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM
(EEPROM), or flash memory. Volatile memory 1520 includes random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as synchronous RAM (SRAM). dynamic RAM
(DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM).
enhanced SDRAM (ESDRAM). Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM).
MS 303501.1 Computer 1512 also includes removable/nonremovable. volatile/nonvolatile computer storage media. Fig. 15 illustrates. for example a disk storage 1524.
Disk storage 1524 includes. but is not limited to. devices like a magnetic disk drive. floppy disk drive. tape drive. Jaz drive. Zip drive. LS-100 drive. flash memory card.
or memory stick. In addition. disk storage 1524 can include storage media separately or in combination with other storage media including. but not limited to. an optical disk drive such as a compact disk ROM device (CD-ROM). CD recordable drive (CD-R Drive).
CD
rewritable drive (CD-RW Drive) or a digital versatile disk ROM drive (DVD-ROM). To facilitate connection of the disk storage devices 1524 to the system bus 1518.
a removable or non-removable interface is typically used such as interface 1526.
It is to be appreciated that Fig. 15 describes software that acts as an intermediary between users and the basic computer resources described in suitable operating environment 1510. Such software includes an operating system 1528. Operating system 1528. which can be stored on disk storage 1524. acts to control and allocate resources of the computer system 1512. System applications 1530 take advantage of the management of resources by operating system 1528 through program modules 1532 and program data 1534 stored either in system memory 1516 or on disk storage 1524. It is to be appreciated that the present invention can be implemented with various operating systems or combinations of operating systems.
A user enters commands or information into the computer 1512 through input device(s) 1536. Input devices 1536 include. but are not limited to. a pointing device such as a mouse. trackball, stylus. touch pad, keyboard, microphone, joystick, game pad, satellite dish, scanner, TV tuner card, digital camera, digital video camera, web camera, and the like. These and other input devices connect to the processing unit 1514 through the system bus 1518 via interface port(s) 1538. Interface port(s) 1538 include, for example, a serial port, a parallel port, a game port, and a universal serial bus (USB).
Output device(s) 1540 use some of the same type of ports as input device(s) 1536. Thus, for example, a USB port may be used to provide input to computer 1512, and to output information from computer 1512 to an output device 1540. Output adapter 1542 is provided to illustrate that there are some output devices 1540 like monitors, speakers, and printers among other output devices 1540 that require special adapters. The output MS303501.1 adapters 1542 include. by way of illustration and not limitation, video and sound cards that provide a means of connection between the output device 1540 and the system bus 1518. It should be noted that other devices and/or systems of devices provide both input and output capabilities such as remote computer(s) 1544.
Computer 1512 can operate in a networked environment using logical connections to one or more remote computers. such as remote computer(s) 1544. The remote computer(s) 1544 can be a personal computer. a server. a router. a network PC_ a workstation- a microprocessor based appliance. a peer device or other common network node and the like- and typically includes many or all of the elements described relative to computer 1512. For purposes of brevity- only a memory storage device 1546 is illustrated with remote computer(s) 1544. Remote computer(s) 1544 is logically connected to computer 1512 through a network interface 1548 and then physically connected via communication connection 1550. Network interface 1548 encompasses communication networks such as local-area networks (LAN) and wide-area networks (WAN). LAN technologies include Fiber Distributed Data Interface (FDDI).
Copper Distributed Data Interface (CDDI)_ Ethernet/IEEE 11023. Token Ring/IEEE 1 102.5 and the like. WAN technologies include. but are not limited to. point-to-point links. circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon. packet switching networks. and Digital Subscriber Lines (DSL).
Communication connection(s) 1550 refers to the hardware/software employed to connect the network interface 1548 to the bus 1518. While communication connection 1550 is shown for illustrative clarity inside computer 1512, it can also be external to computer 1512. The hardware/software necessary for connection to the network interface 1 548 includes, for exemplary purposes only. internal and external technologies such as.
modems including regular telephone grade modems. cable modems and DSL modems.
ISDN adapters, and Ethernet cards.
What has been described above includes examples of the present invention. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the present invention, but one of ordinary skill in the art may recognize that many further combinations and permutations of the present invention are possible. Accordingly. the present invention is intended to embrace all MS303501.1 such alterations. modifications and variations that fall within the spirit and scope of the appended claims. Furthermore. to the extent that the term "includes" is used in either the detailed description or the claims. such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim.
Claims (70)
1. A system implemented on one or more computers that facilitates extracting data in connection with spam processing, comprising:
a component implemented on one or more processors that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name;
and a component that employs a subset of the extracted features in connection with building a filter, wherein the filter is at least one of stored on a computer readable storage medium, displayed on a display device, or employed by a component implemented on one or more processors.
a component implemented on one or more processors that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name;
and a component that employs a subset of the extracted features in connection with building a filter, wherein the filter is at least one of stored on a computer readable storage medium, displayed on a display device, or employed by a component implemented on one or more processors.
2. The system of claim 1, further comprising a normalization component that deobfuscates a subset of the features.
3. The system of claim 1, the filter being a spam filter.
4. The system of claim 1, the filter being a parental control filter.
5. The system of claim 1, further comprising a machine learning system component that employs the features to learn at least one of spam or non-spam.
6. The system of claim 1, the subset of features comprising at least one IP
address, the at least one IP address being at least a portion of any one of a reply-to address, a carbon copy address, a mail-to address, a received-from address, or a URL located in the message.
address, the at least one IP address being at least a portion of any one of a reply-to address, a carbon copy address, a mail-to address, a received-from address, or a URL located in the message.
7. The system of claim 6, the IP address comprising a block ID, wherein the block ID can be extracted as at least one feature.
8. The system of claim 7, wherein the block ID is determined at least in part by consulting a block directory.
9. The system of claim 8, wherein the block directory is arin.net.
10. The system of claim 7, wherein the block ID is determined at least in part by guessing, thereby extracting as features any one of at least a first 1 bit, at least a first 2 bits, at least a first 3 bits, and up to at least a first 31 bits of the IP
address.
address.
11. The system of claim 1, wherein the subset of features comprises each of a first 1 up to a first 31 bits of an IP address.
12. The system of claim 1, the subset of features comprising a URL.
13. The system of claim 12, wherein the URL address is located in at least one of a body of the message, embedded as text in the message, or embedded in an image in the message.
14. The system of claim 1, further comprising a component that employs at least a subset of the extracted features to populate at least one feature list.
15. The system of claim 14, the at least one feature list is any one of a list of good users, a list of spammers, a list of positive features indicating legitimate sender, or a list of features indicating spam.
16. The system of claim 1, wherein the subset of features comprises at least one URL.
17. The system of claim 16, wherein the URL is embedded as text in a body of the message.
18. The system of claim 16, wherein the URL is at least a portion of a link in a body of the message.
19. The system of claim 16, wherein the URL is at least a portion of a link embedded as an image in a message.
20. The system of claim 1, the subset of features comprising at least one of a host name or a domain name extracted from an email address.
21. The system of claim 1, the subset of features comprising at least a portion of an FQDN extracted from any one of an email address and a URL.
22. The system of claim 1, the subset of features comprising at least a portion of a domain name extracted from any one of an email address and a URL.
23. The system of claim 1, wherein at least a portion of the subset of the extracted features are normalized prior to be used in connection with a machine learning system.
24. The system of claim 1, wherein at least a portion of the subset of the extracted features are normalized prior to be used to populate at least one feature list.
25. The system of claim 1, further comprising a classification component that classifies at least a portion of at least one of a URL, an email address, and an IP
address as any one of adult, adult-content, unsuitable, unsuitable for some ages, suitable for all ages, inappropriate, or appropriate.
address as any one of adult, adult-content, unsuitable, unsuitable for some ages, suitable for all ages, inappropriate, or appropriate.
26. The system of claim 25, wherein the classification component is a parental control system.
27. The system of claim 25, wherein the classification component assigns at least one feature type to the classified portion of at least one of the URL, the website address, or the IP address.
28. The system of claim 1, wherein the set of features comprises at least one non-toll free telephone number, the telephone number comprising an area code to facilitate mapping a geographic location of a sender or contact associated with the message.
29. A computer readable memory having recorded thereon statements and instructions for execution by a computer, said statements and instructions comprising code means for implementing the components of claim 1.
30. A method that facilitates extracting data in connection with spam processing, comprising:
receiving a message;
extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises at least a portion of an IP address; wherein extracting at least a portion of the IP address comprises performing at least one of consulting a block ID
directory to determine at least one block ID corresponding to the IP address such that the block ID is extracted as an additional feature or extracting each of at least a first 1 bit up to a first 31 bits from the IP address; and employing a subset of the extracted features in connection with building a filter.
receiving a message;
extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises at least a portion of an IP address; wherein extracting at least a portion of the IP address comprises performing at least one of consulting a block ID
directory to determine at least one block ID corresponding to the IP address such that the block ID is extracted as an additional feature or extracting each of at least a first 1 bit up to a first 31 bits from the IP address; and employing a subset of the extracted features in connection with building a filter.
31. The method of claim 30, wherein at least one extracted IP address corresponds to at least one server.
32. The method of claim 31, further comprising extracting the at least one server as an additional feature.
33. The method of claim 30, further comprising deobfuscating at least a subset of the features extracted from the message.
34. The method of claim 30, further comprising deobfuscating at least a portion of at least one feature extracted from the message.
35. The method of claim 34, wherein deobfuscating a received-from IP
address extracted from the message comprises tracing back through a plurality of appended-to IP addresses to verify the appended-to IP addresses identity.
address extracted from the message comprises tracing back through a plurality of appended-to IP addresses to verify the appended-to IP addresses identity.
36. The method of claim 34, further comprising extracting additional features from a website address comprises performing at least one of the following acts:
removing at least one suffix at a time thereby yielding respective additional features; or removing at least one prefix at a time, thereby yielding respective additional features.
removing at least one suffix at a time thereby yielding respective additional features; or removing at least one prefix at a time, thereby yielding respective additional features.
37. The method of claim 34, wherein the set of features comprise at least a portion of any one of a reply-to address, a carbon copy address, a mail-to address, a URL, a link, or a received-from address.
38. The method of claim 30, wherein at least a subset of the extracted features are embedded as one of text and images in a body of the message.
39. The method of claim 30, wherein the set of features comprises a host name and a domain name.
40. The method of claim 30, farther comprising classifying one or more extracted features or portions thereof to indicate any one of suitable and unsuitable content associated with the message and using such classification as an additional feature.
41. The method of claim 30, farther comprising assigning a feature type to the respective extracted features to notify a user of message content based at least in part upon the respective extracted features and using the feature type as an additional feature.
42. The method of claim 41, farther comprising determining that at least one of a feature type and a feature are any one of rare and common and using a rarity and a commonality of a feature as an additional feature.
43. The method of claim 30, wherein the subset of features are employed in connection with building a filter via a machine learning system.
44. The method of claim 30, wherein the filter is a spam filter.
45. The method of claim 30, wherein the filter is a parental control filter.
46. The method of claim 30, farther comprising employing at least a subset of features extracted from the message to populate one or more feature lists.
47. The method of claim 46, wherein feature lists comprise at least one of positive feature lists indicating non-spammers or bad feature lists indicating spammers.
48. The method of claim 30, wherein the extracted features are deobfuscated at least in part prior to being employed as features of a machine learning system.
49. The method of claim 30, wherein the extracted features are deobfuscated at least in part prior to being employed as features to populate feature lists.
50. A system implemented on one or more computers that facilitates extracting data in connection with spam processing, comprising:
a means for receiving a message;
a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name; and a means for employing a subset of the extracted features in connection with building a filter.
a means for receiving a message;
a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the set of features comprises a host name and a domain name; and a means for employing a subset of the extracted features in connection with building a filter.
51. A system that facilitates extracting data in connection with spam processing, comprising.
a memory;
a processor coupled to the memory;
a component implemented on the processor that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the component that receives the item determines a last trusted server IP address to distinguish between legitimate and fake prepended server IP addresses and the last trusted server IP address is extracted as a feature from the item;
and a component implemented on the processor that employs a subset of the extracted features in connection with building a filter by adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability that the message is spam when the subset of the extracted features passes through the filter.
a memory;
a processor coupled to the memory;
a component implemented on the processor that receives an item and extracts a set of features associated with at least one of an origination of a message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message, wherein the component that receives the item determines a last trusted server IP address to distinguish between legitimate and fake prepended server IP addresses and the last trusted server IP address is extracted as a feature from the item;
and a component implemented on the processor that employs a subset of the extracted features in connection with building a filter by adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability that the message is spam when the subset of the extracted features passes through the filter.
52. The system of claim 51, further comprising a normalization component that deobfuscates a subset of the features.
53. The system of claim 51, further comprising a machine learning system component that employs the deobfuscated features to learn at least one of spam and non-spam.
54. The system of claim 51, the subset of features comprising at least one IP address, the at least one IP address being at least a portion of any one of a reply-to address, a carbon copy address, a mail-to address, a received-from address, and a URL located in the message.
55. The system of claim 54, the IP address comprising a block ID, wherein the block ID can be extracted as at least one feature.
56. The system of claim 55, wherein the block ID is determined at least in part by consulting a block directory.
57. The system of claim 55, wherein the block ID is determined at least in part by guessing, thereby extracting as features any one of at least a first 1 bit, at least a first 2 bits, at least a first 3 bits, and up to at least a first 31 bits of the IP
address.
address.
58. The system of claim 51, wherein the subset of features comprises each of a first 1 up to a first 31 bits of an IP address.
59. The system of claim 51, the subset of features comprising a URL.
60. The system of claim 51, further comprising a component that employs at least a subset of the extracted features to populate at least one feature list.
61. The system of claim 60, the at least one feature list is any one of a list of good users, a list of spammers, a list of positive features indicating legitimate sender, or a list of features indicating spam.
62. The system of claim 51, the subset of features comprising at least one of a host name or a domain name extracted from an email address.
63. The system of claim 51, the subset of features comprising at least a portion of an FQDN extracted from any one of an email address and a URL.
64. The system of claim 51, the subset of features comprising at least a portion of a domain name extracted from any one of an email address and a URL.
65. A method that facilitates extracting data in connection with spam processing, comprising:
receiving a message; extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message;
wherein a last, trusted server IP address is an extracted feature from the message and a determination is made to distinguish between legitimate and fake prepended server IP addresses; and employing a subset of the extracted features in connection with building a filter by adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability of the message being spam when the subset of the extracted features passes through the filter.
receiving a message; extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message;
wherein a last, trusted server IP address is an extracted feature from the message and a determination is made to distinguish between legitimate and fake prepended server IP addresses; and employing a subset of the extracted features in connection with building a filter by adding the subset of the extracted features to a training set of data utilized for training and updating the filter, wherein the filter determines a probability of the message being spam when the subset of the extracted features passes through the filter.
66. The method of claim 65, wherein the set of features comprises website address.
67. The method of claim 66, further comprising extracting additional features from a website address comprises performing at least one of the following acts:
removing at least one suffix at a time thereby yielding respective additional features; and removing at least one prefix at a time, thereby yielding respective additional features.
removing at least one suffix at a time thereby yielding respective additional features; and removing at least one prefix at a time, thereby yielding respective additional features.
68. The method of claim 65, further comprising assigning a feature type to the respective extracted features to notify a user of message content based at least in part upon the respective extracted features and using the feature type as an additional feature.
69. The method of claim 68, further comprising determining that at least one of a feature type and a feature are any one of rare and common and using a rarity and a commonality of a feature as an additional feature.
70. A system that facilitates extracting data in connection with spam processing, comprising:
a memory;
a processor coupled to the memory;
a means for receiving a message;
a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message;
the means for extracting the set of features that determines a last trusted server IP address that distinguishes between legitimate and fake prepended server IP addresses, wherein the last trusted server IP address is extracted as a feature; and a means for employing a subset of the extracted features in connection with building a filter, wherein the filter determines a probability of the message being spam.
a memory;
a processor coupled to the memory;
a means for receiving a message;
a means for extracting a set of features associated with at least one of an origination of the message or part thereof or information that enables an intended recipient to contact, respond or receive in connection with the message;
the means for extracting the set of features that determines a last trusted server IP address that distinguishes between legitimate and fake prepended server IP addresses, wherein the last trusted server IP address is extracted as a feature; and a means for employing a subset of the extracted features in connection with building a filter, wherein the filter determines a probability of the message being spam.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/454,168 | 2003-06-04 | ||
US10/454,168 US7272853B2 (en) | 2003-06-04 | 2003-06-04 | Origination/destination features and lists for spam prevention |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2467869A1 CA2467869A1 (en) | 2004-12-04 |
CA2467869C true CA2467869C (en) | 2013-03-19 |
Family
ID=33159539
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA2467869A Expired - Lifetime CA2467869C (en) | 2003-06-04 | 2004-05-20 | Origination/destination features and lists for spam prevention |
Country Status (14)
Country | Link |
---|---|
US (4) | US7272853B2 (en) |
EP (1) | EP1484893B1 (en) |
JP (1) | JP4672285B2 (en) |
KR (1) | KR101137065B1 (en) |
CN (1) | CN1573784B (en) |
AU (1) | AU2004202268B2 (en) |
BR (1) | BRPI0401849B1 (en) |
CA (1) | CA2467869C (en) |
MX (1) | MXPA04005335A (en) |
MY (1) | MY142668A (en) |
PL (1) | PL368364A1 (en) |
RU (1) | RU2378692C2 (en) |
TW (1) | TWI353146B (en) |
ZA (1) | ZA200404018B (en) |
Families Citing this family (432)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6643686B1 (en) * | 1998-12-18 | 2003-11-04 | At&T Corp. | System and method for counteracting message filtering |
US6408277B1 (en) | 2000-06-21 | 2002-06-18 | Banter Limited | System and method for automatic task prioritization |
US9699129B1 (en) * | 2000-06-21 | 2017-07-04 | International Business Machines Corporation | System and method for increasing email productivity |
US20110231564A1 (en) * | 2000-09-25 | 2011-09-22 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US9800608B2 (en) * | 2000-09-25 | 2017-10-24 | Symantec Corporation | Processing data flows with a data flow processor |
US9525696B2 (en) | 2000-09-25 | 2016-12-20 | Blue Coat Systems, Inc. | Systems and methods for processing data flows |
US8010469B2 (en) * | 2000-09-25 | 2011-08-30 | Crossbeam Systems, Inc. | Systems and methods for processing data flows |
US20100042565A1 (en) * | 2000-09-25 | 2010-02-18 | Crossbeam Systems, Inc. | Mezzazine in-depth data analysis facility |
US20110238855A1 (en) * | 2000-09-25 | 2011-09-29 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US20110213869A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Processing data flows with a data flow processor |
US20110219035A1 (en) * | 2000-09-25 | 2011-09-08 | Yevgeny Korsunsky | Database security via data flow processing |
US20110214157A1 (en) * | 2000-09-25 | 2011-09-01 | Yevgeny Korsunsky | Securing a network with data flow processing |
US7644057B2 (en) * | 2001-01-03 | 2010-01-05 | International Business Machines Corporation | System and method for electronic communication management |
US7155608B1 (en) * | 2001-12-05 | 2006-12-26 | Bellsouth Intellectual Property Corp. | Foreign network SPAM blocker |
US8578480B2 (en) | 2002-03-08 | 2013-11-05 | Mcafee, Inc. | Systems and methods for identifying potentially malicious messages |
US8561167B2 (en) | 2002-03-08 | 2013-10-15 | Mcafee, Inc. | Web reputation scoring |
US20060015942A1 (en) * | 2002-03-08 | 2006-01-19 | Ciphertrust, Inc. | Systems and methods for classification of messaging entities |
US7716199B2 (en) | 2005-08-10 | 2010-05-11 | Google Inc. | Aggregating context data for programmable search engines |
US7743045B2 (en) * | 2005-08-10 | 2010-06-22 | Google Inc. | Detecting spam related and biased contexts for programmable search engines |
US7693830B2 (en) | 2005-08-10 | 2010-04-06 | Google Inc. | Programmable search engine |
US20080196099A1 (en) * | 2002-06-10 | 2008-08-14 | Akonix Systems, Inc. | Systems and methods for detecting and blocking malicious content in instant messages |
US7428590B2 (en) * | 2002-06-10 | 2008-09-23 | Akonix Systems, Inc. | Systems and methods for reflecting messages associated with a target protocol within a network |
WO2004059506A1 (en) * | 2002-12-26 | 2004-07-15 | Commtouch Software Ltd. | Detection and prevention of spam |
US7533148B2 (en) * | 2003-01-09 | 2009-05-12 | Microsoft Corporation | Framework to enable integration of anti-spam technologies |
US7219131B2 (en) * | 2003-01-16 | 2007-05-15 | Ironport Systems, Inc. | Electronic message delivery using an alternate source approach |
US7760729B2 (en) | 2003-05-28 | 2010-07-20 | Citrix Systems, Inc. | Policy based network address translation |
US7376652B2 (en) * | 2003-06-17 | 2008-05-20 | The Hayes-Roth Family Trust | Personal portal and secure information exchange |
US8145710B2 (en) * | 2003-06-18 | 2012-03-27 | Symantec Corporation | System and method for filtering spam messages utilizing URL filtering module |
US7155484B2 (en) * | 2003-06-30 | 2006-12-26 | Bellsouth Intellectual Property Corporation | Filtering email messages corresponding to undesirable geographical regions |
US9412123B2 (en) | 2003-07-01 | 2016-08-09 | The 41St Parameter, Inc. | Keystroke analysis |
US7526730B1 (en) * | 2003-07-01 | 2009-04-28 | Aol Llc | Identifying URL target hostnames |
US8214437B1 (en) * | 2003-07-21 | 2012-07-03 | Aol Inc. | Online adaptive filtering of messages |
US7814545B2 (en) * | 2003-07-22 | 2010-10-12 | Sonicwall, Inc. | Message classification using classifiers |
US7421498B2 (en) * | 2003-08-25 | 2008-09-02 | Microsoft Corporation | Method and system for URL based filtering of electronic communications and web pages |
US7835294B2 (en) * | 2003-09-03 | 2010-11-16 | Gary Stephen Shuster | Message filtering method |
US8271588B1 (en) * | 2003-09-24 | 2012-09-18 | Symantec Corporation | System and method for filtering fraudulent email messages |
WO2005034537A1 (en) * | 2003-10-08 | 2005-04-14 | Three B Technologies Pty Ltd | Method and system for authorising short message service (sms) messages |
US20050080642A1 (en) * | 2003-10-14 | 2005-04-14 | Daniell W. Todd | Consolidated email filtering user interface |
US7610341B2 (en) * | 2003-10-14 | 2009-10-27 | At&T Intellectual Property I, L.P. | Filtered email differentiation |
US7451184B2 (en) * | 2003-10-14 | 2008-11-11 | At&T Intellectual Property I, L.P. | Child protection from harmful email |
US7930351B2 (en) * | 2003-10-14 | 2011-04-19 | At&T Intellectual Property I, L.P. | Identifying undesired email messages having attachments |
US7664812B2 (en) * | 2003-10-14 | 2010-02-16 | At&T Intellectual Property I, L.P. | Phonetic filtering of undesired email messages |
US7673066B2 (en) * | 2003-11-07 | 2010-03-02 | Sony Corporation | File transfer protocol for mobile computer |
US7978716B2 (en) | 2003-11-24 | 2011-07-12 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
US7444403B1 (en) | 2003-11-25 | 2008-10-28 | Microsoft Corporation | Detecting sexually predatory content in an electronic communication |
US8990928B1 (en) | 2003-12-11 | 2015-03-24 | Radix Holdings, Llc | URL salience |
US20050160258A1 (en) * | 2003-12-11 | 2005-07-21 | Bioobservation Systems Limited | Detecting objectionable content in displayed images |
US7590694B2 (en) | 2004-01-16 | 2009-09-15 | Gozoom.Com, Inc. | System for determining degrees of similarity in email message information |
JP2005208780A (en) * | 2004-01-21 | 2005-08-04 | Nec Corp | Mail filtering system and url black list dynamic construction method to be used for the same |
US7184929B2 (en) * | 2004-01-28 | 2007-02-27 | Microsoft Corporation | Exponential priors for maximum entropy models |
US8856239B1 (en) | 2004-02-10 | 2014-10-07 | Sonicwall, Inc. | Message classification based on likelihood of spoofing |
CA2554915C (en) * | 2004-02-17 | 2013-05-28 | Ironport Systems, Inc. | Collecting, aggregating, and managing information relating to electronic messages |
US7617531B1 (en) * | 2004-02-18 | 2009-11-10 | Citrix Systems, Inc. | Inferencing data types of message components |
US8214438B2 (en) * | 2004-03-01 | 2012-07-03 | Microsoft Corporation | (More) advanced spam detection features |
US10999298B2 (en) | 2004-03-02 | 2021-05-04 | The 41St Parameter, Inc. | Method and system for identifying users and detecting fraud by use of the internet |
US7631044B2 (en) | 2004-03-09 | 2009-12-08 | Gozoom.Com, Inc. | Suppression of undesirable network messages |
US7644127B2 (en) * | 2004-03-09 | 2010-01-05 | Gozoom.Com, Inc. | Email analysis using fuzzy matching of text |
US8918466B2 (en) * | 2004-03-09 | 2014-12-23 | Tonny Yu | System for email processing and analysis |
US20050289239A1 (en) * | 2004-03-16 | 2005-12-29 | Prakash Vipul V | Method and an apparatus to classify electronic communication |
US20060031394A1 (en) * | 2004-04-20 | 2006-02-09 | Tazuma Stanley K | Apparatus and methods for transparent handling of browser proxy configurations in a network gateway device |
US7870608B2 (en) | 2004-05-02 | 2011-01-11 | Markmonitor, Inc. | Early detection and monitoring of online fraud |
US8041769B2 (en) | 2004-05-02 | 2011-10-18 | Markmonitor Inc. | Generating phish messages |
US7992204B2 (en) * | 2004-05-02 | 2011-08-02 | Markmonitor, Inc. | Enhanced responses to online fraud |
US7913302B2 (en) * | 2004-05-02 | 2011-03-22 | Markmonitor, Inc. | Advanced responses to online fraud |
US8769671B2 (en) | 2004-05-02 | 2014-07-01 | Markmonitor Inc. | Online fraud solution |
US9203648B2 (en) | 2004-05-02 | 2015-12-01 | Thomson Reuters Global Resources | Online fraud solution |
US7457823B2 (en) * | 2004-05-02 | 2008-11-25 | Markmonitor Inc. | Methods and systems for analyzing data related to possible online fraud |
US7941490B1 (en) * | 2004-05-11 | 2011-05-10 | Symantec Corporation | Method and apparatus for detecting spam in email messages and email attachments |
US7523498B2 (en) * | 2004-05-20 | 2009-04-21 | International Business Machines Corporation | Method and system for monitoring personal computer documents for sensitive data |
US7734093B2 (en) * | 2004-05-20 | 2010-06-08 | Ricoh Co., Ltd. | Paper-based upload and tracking system |
AU2005248858B8 (en) * | 2004-05-25 | 2011-05-26 | Google Llc | Electronic message source reputation information system |
US7756930B2 (en) | 2004-05-28 | 2010-07-13 | Ironport Systems, Inc. | Techniques for determining the reputation of a message sender |
US7917588B2 (en) | 2004-05-29 | 2011-03-29 | Ironport Systems, Inc. | Managing delivery of electronic messages using bounce profiles |
US7849142B2 (en) | 2004-05-29 | 2010-12-07 | Ironport Systems, Inc. | Managing connections, messages, and directory harvest attacks at a server |
US8166310B2 (en) * | 2004-05-29 | 2012-04-24 | Ironport Systems, Inc. | Method and apparatus for providing temporary access to a network device |
US7873695B2 (en) | 2004-05-29 | 2011-01-18 | Ironport Systems, Inc. | Managing connections and messages at a server by associating different actions for both different senders and different recipients |
US7870200B2 (en) * | 2004-05-29 | 2011-01-11 | Ironport Systems, Inc. | Monitoring the flow of messages received at a server |
US7748038B2 (en) * | 2004-06-16 | 2010-06-29 | Ironport Systems, Inc. | Method and apparatus for managing computer virus outbreaks |
US20050283519A1 (en) * | 2004-06-17 | 2005-12-22 | Commtouch Software, Ltd. | Methods and systems for combating spam |
US8739274B2 (en) | 2004-06-30 | 2014-05-27 | Citrix Systems, Inc. | Method and device for performing integrated caching in a data communication network |
US7757074B2 (en) | 2004-06-30 | 2010-07-13 | Citrix Application Networking, Llc | System and method for establishing a virtual private network |
US7580981B1 (en) * | 2004-06-30 | 2009-08-25 | Google Inc. | System for determining email spam by delivery path |
US8495305B2 (en) | 2004-06-30 | 2013-07-23 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
WO2006012610A2 (en) | 2004-07-23 | 2006-02-02 | Citrix Systems, Inc. | Systems and methods for optimizing communications between network nodes |
AU2005266945A1 (en) | 2004-07-23 | 2006-02-02 | Citrix Systems, Inc. | A method and systems for securing remote access to private networks |
US7580921B2 (en) * | 2004-07-26 | 2009-08-25 | Google Inc. | Phrase identification in an information retrieval system |
US7711679B2 (en) | 2004-07-26 | 2010-05-04 | Google Inc. | Phrase-based detection of duplicate documents in an information retrieval system |
US7567959B2 (en) | 2004-07-26 | 2009-07-28 | Google Inc. | Multiple index based information retrieval system |
US7702618B1 (en) | 2004-07-26 | 2010-04-20 | Google Inc. | Information retrieval system for archiving multiple document versions |
EP1782241A4 (en) * | 2004-07-27 | 2008-04-09 | U S Telecom Inc | Method for blocking unwanted e-mail based on proximity detection |
US20060069667A1 (en) * | 2004-09-30 | 2006-03-30 | Microsoft Corporation | Content evaluation |
US8799465B2 (en) * | 2004-10-13 | 2014-08-05 | International Business Machines Corporation | Fake web addresses and hyperlinks |
US8635690B2 (en) | 2004-11-05 | 2014-01-21 | Mcafee, Inc. | Reputation based message processing |
US7711781B2 (en) * | 2004-11-09 | 2010-05-04 | International Business Machines Corporation | Technique for detecting and blocking unwanted instant messages |
US8032594B2 (en) * | 2004-11-10 | 2011-10-04 | Digital Envoy, Inc. | Email anti-phishing inspector |
US20060168066A1 (en) * | 2004-11-10 | 2006-07-27 | David Helsper | Email anti-phishing inspector |
US7580982B2 (en) * | 2004-12-14 | 2009-08-25 | The Go Daddy Group, Inc. | Email filtering system and method |
US7734670B2 (en) * | 2004-12-15 | 2010-06-08 | Microsoft Corporation | Actionable email documents |
US20060168032A1 (en) * | 2004-12-21 | 2006-07-27 | Lucent Technologies, Inc. | Unwanted message (spam) detection based on message content |
US20060168030A1 (en) * | 2004-12-21 | 2006-07-27 | Lucent Technologies, Inc. | Anti-spam service |
US8549149B2 (en) | 2004-12-30 | 2013-10-01 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
US8954595B2 (en) | 2004-12-30 | 2015-02-10 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering |
US8700695B2 (en) | 2004-12-30 | 2014-04-15 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP pooling |
US8706877B2 (en) | 2004-12-30 | 2014-04-22 | Citrix Systems, Inc. | Systems and methods for providing client-side dynamic redirection to bypass an intermediary |
US7810089B2 (en) | 2004-12-30 | 2010-10-05 | Citrix Systems, Inc. | Systems and methods for automatic installation and execution of a client-side acceleration program |
US20060168042A1 (en) * | 2005-01-07 | 2006-07-27 | International Business Machines Corporation | Mechanism for mitigating the problem of unsolicited email (also known as "spam" |
US8255456B2 (en) | 2005-12-30 | 2012-08-28 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
US8281401B2 (en) * | 2005-01-25 | 2012-10-02 | Whitehat Security, Inc. | System for detecting vulnerabilities in web applications using client-side application interfaces |
US20060230039A1 (en) * | 2005-01-25 | 2006-10-12 | Markmonitor, Inc. | Online identity tracking |
US7647380B2 (en) * | 2005-01-31 | 2010-01-12 | Microsoft Corporation | Datacenter mail routing |
DE102005004464A1 (en) | 2005-01-31 | 2006-10-26 | Robert Bosch Gmbh | Method for storing messages in a message memory and message memory |
US7962510B2 (en) * | 2005-02-11 | 2011-06-14 | Microsoft Corporation | Using content analysis to detect spam web pages |
JP4670049B2 (en) * | 2005-02-16 | 2011-04-13 | 国立大学法人豊橋技術科学大学 | E-mail filtering program, e-mail filtering method, e-mail filtering system |
DE102005011169B4 (en) * | 2005-03-09 | 2010-09-30 | 1&1 Internet Ag | Method and system for an e-mail service with preparation of information e-mails of another Internet service |
US7590698B1 (en) * | 2005-03-14 | 2009-09-15 | Symantec Corporation | Thwarting phishing attacks by using pre-established policy files |
US7975010B1 (en) * | 2005-03-23 | 2011-07-05 | Symantec Corporation | Countering spam through address comparison |
US20060224677A1 (en) * | 2005-04-01 | 2006-10-05 | Baytsp | Method and apparatus for detecting email fraud |
US8898162B2 (en) * | 2005-04-01 | 2014-11-25 | International Business Machines Corporation | Methods, systems, and computer program products for providing customized content over a network |
GB2424969A (en) * | 2005-04-04 | 2006-10-11 | Messagelabs Ltd | Training an anti-spam filter |
GB2425855A (en) * | 2005-04-25 | 2006-11-08 | Messagelabs Ltd | Detecting and filtering of spam emails |
JP5118020B2 (en) * | 2005-05-05 | 2013-01-16 | シスコ アイアンポート システムズ エルエルシー | Identifying threats in electronic messages |
JP4559295B2 (en) * | 2005-05-17 | 2010-10-06 | 株式会社エヌ・ティ・ティ・ドコモ | Data communication system and data communication method |
US20070097976A1 (en) * | 2005-05-20 | 2007-05-03 | Wood George D | Suspect traffic redirection |
US8312172B2 (en) * | 2005-05-26 | 2012-11-13 | Bytemobile, Inc. | Method and system for delta compression |
US20060277259A1 (en) * | 2005-06-07 | 2006-12-07 | Microsoft Corporation | Distributed sender reputations |
US8010609B2 (en) * | 2005-06-20 | 2011-08-30 | Symantec Corporation | Method and apparatus for maintaining reputation lists of IP addresses to detect email spam |
US7739337B1 (en) | 2005-06-20 | 2010-06-15 | Symantec Corporation | Method and apparatus for grouping spam email messages |
GB0512744D0 (en) * | 2005-06-22 | 2005-07-27 | Blackspider Technologies | Method and system for filtering electronic messages |
US7636734B2 (en) * | 2005-06-23 | 2009-12-22 | Microsoft Corporation | Method for probabilistic analysis of most frequently occurring electronic message addresses within personal store (.PST) files to determine owner with confidence factor based on relative weight and set of user-specified factors |
US8726369B1 (en) | 2005-08-11 | 2014-05-13 | Aaron T. Emigh | Trusted path, authentication and data security |
US7809156B2 (en) | 2005-08-12 | 2010-10-05 | Ricoh Company, Ltd. | Techniques for generating and using a fingerprint for an article |
US8176077B2 (en) | 2005-09-02 | 2012-05-08 | Qwest Communications International Inc. | Location based access to financial information systems and methods |
US8166068B2 (en) | 2005-09-02 | 2012-04-24 | Qwest | Location based authorization of financial card transactions systems and methods |
US7697942B2 (en) * | 2005-09-02 | 2010-04-13 | Stevens Gilman R | Location based rules architecture systems and methods |
US7487170B2 (en) * | 2005-09-02 | 2009-02-03 | Qwest Communications International Inc. | Location information for avoiding unwanted communications systems and methods |
US20070061402A1 (en) * | 2005-09-15 | 2007-03-15 | Microsoft Corporation | Multipurpose internet mail extension (MIME) analysis |
US8078681B2 (en) | 2005-09-29 | 2011-12-13 | Teamon Systems, Inc. | System and method for provisioning an email account using mail exchange records |
US8117267B2 (en) | 2005-09-29 | 2012-02-14 | Teamon Systems, Inc. | System and method for provisioning an email account using mail exchange and address records |
US20070078934A1 (en) * | 2005-09-30 | 2007-04-05 | Teamon Systems, Inc. | System and method for provisioning an email account hosted on an assured email service provider |
US7912907B1 (en) * | 2005-10-07 | 2011-03-22 | Symantec Corporation | Spam email detection based on n-grams with feature selection |
US20070118759A1 (en) * | 2005-10-07 | 2007-05-24 | Sheppard Scott K | Undesirable email determination |
US20070088789A1 (en) * | 2005-10-18 | 2007-04-19 | Reuben Berman | Method and system for indicating an email sender as spammer |
WO2007050244A2 (en) * | 2005-10-27 | 2007-05-03 | Georgia Tech Research Corporation | Method and system for detecting and responding to attacking networks |
US8272064B2 (en) * | 2005-11-16 | 2012-09-18 | The Boeing Company | Automated rule generation for a secure downgrader |
US8938671B2 (en) | 2005-12-16 | 2015-01-20 | The 41St Parameter, Inc. | Methods and apparatus for securely displaying digital images |
US11301585B2 (en) | 2005-12-16 | 2022-04-12 | The 41St Parameter, Inc. | Methods and apparatus for securely displaying digital images |
US7921184B2 (en) | 2005-12-30 | 2011-04-05 | Citrix Systems, Inc. | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
US8301839B2 (en) | 2005-12-30 | 2012-10-30 | Citrix Systems, Inc. | System and method for performing granular invalidation of cached dynamically generated objects in a data communication network |
US7475118B2 (en) * | 2006-02-03 | 2009-01-06 | International Business Machines Corporation | Method for recognizing spam email |
US7827280B2 (en) * | 2006-02-28 | 2010-11-02 | Red Hat, Inc. | System and method for domain name filtering through the domain name system |
US7627641B2 (en) * | 2006-03-09 | 2009-12-01 | Watchguard Technologies, Inc. | Method and system for recognizing desired email |
US8151327B2 (en) | 2006-03-31 | 2012-04-03 | The 41St Parameter, Inc. | Systems and methods for detection of session tampering and fraud prevention |
US8689102B2 (en) * | 2006-03-31 | 2014-04-01 | Ricoh Company, Ltd. | User interface for creating and using media keys |
US20070233612A1 (en) * | 2006-03-31 | 2007-10-04 | Ricoh Company, Ltd. | Techniques for generating a media key |
US9525547B2 (en) * | 2006-03-31 | 2016-12-20 | Ricoh Company, Ltd. | Transmission of media keys |
US8554690B2 (en) * | 2006-03-31 | 2013-10-08 | Ricoh Company, Ltd. | Techniques for using media keys |
US7809796B1 (en) * | 2006-04-05 | 2010-10-05 | Ironport Systems, Inc. | Method of controlling access to network resources using information in electronic mail messages |
US7849502B1 (en) * | 2006-04-29 | 2010-12-07 | Ironport Systems, Inc. | Apparatus for monitoring network traffic |
US20080082662A1 (en) * | 2006-05-19 | 2008-04-03 | Richard Dandliker | Method and apparatus for controlling access to network resources based on reputation |
US8112484B1 (en) * | 2006-05-31 | 2012-02-07 | Proofpoint, Inc. | Apparatus and method for auxiliary classification for generating features for a spam filtering model |
US8489689B1 (en) * | 2006-05-31 | 2013-07-16 | Proofpoint, Inc. | Apparatus and method for obfuscation detection within a spam filtering model |
US8307038B2 (en) * | 2006-06-09 | 2012-11-06 | Microsoft Corporation | Email addresses relevance determination and uses |
US8020206B2 (en) | 2006-07-10 | 2011-09-13 | Websense, Inc. | System and method of analyzing web content |
US8615800B2 (en) | 2006-07-10 | 2013-12-24 | Websense, Inc. | System and method for analyzing web content |
US8646071B2 (en) * | 2006-08-07 | 2014-02-04 | Symantec Corporation | Method and system for validating site data |
WO2008021244A2 (en) * | 2006-08-10 | 2008-02-21 | Trustees Of Tufts College | Systems and methods for identifying unwanted or harmful electronic text |
US20080052360A1 (en) * | 2006-08-22 | 2008-02-28 | Microsoft Corporation | Rules Profiler |
US20160248813A1 (en) * | 2006-08-23 | 2016-08-25 | Threatstop, Inc. | Method and system for propagating network policy |
US8078625B1 (en) * | 2006-09-11 | 2011-12-13 | Aol Inc. | URL-based content categorization |
US7606214B1 (en) * | 2006-09-14 | 2009-10-20 | Trend Micro Incorporated | Anti-spam implementations in a router at the network layer |
CN101155182A (en) * | 2006-09-30 | 2008-04-02 | 阿里巴巴公司 | Garbage information filtering method and apparatus based on network |
US7882187B2 (en) * | 2006-10-12 | 2011-02-01 | Watchguard Technologies, Inc. | Method and system for detecting undesired email containing image-based messages |
GB2443469A (en) * | 2006-11-03 | 2008-05-07 | Messagelabs Ltd | Detection of image spam |
US8577968B2 (en) * | 2006-11-14 | 2013-11-05 | Mcafee, Inc. | Method and system for handling unwanted email messages |
US8590002B1 (en) | 2006-11-29 | 2013-11-19 | Mcafee Inc. | System, method and computer program product for maintaining a confidentiality of data on a network |
US9654495B2 (en) | 2006-12-01 | 2017-05-16 | Websense, Llc | System and method of analyzing web addresses |
US8135780B2 (en) * | 2006-12-01 | 2012-03-13 | Microsoft Corporation | Email safety determination |
US8180735B2 (en) * | 2006-12-29 | 2012-05-15 | Prodea Systems, Inc. | Managed file backup and restore at remote storage locations through multi-services gateway at user premises |
US9497205B1 (en) * | 2008-05-19 | 2016-11-15 | Emc Corporation | Global commonality and network logging |
US9152706B1 (en) | 2006-12-30 | 2015-10-06 | Emc Corporation | Anonymous identification tokens |
WO2008087438A1 (en) * | 2007-01-18 | 2008-07-24 | Roke Manor Research Limited | A method of extracting sections of a data stream |
GB2458094A (en) | 2007-01-09 | 2009-09-09 | Surfcontrol On Demand Ltd | URL interception and categorization in firewalls |
US20080177843A1 (en) * | 2007-01-22 | 2008-07-24 | Microsoft Corporation | Inferring email action based on user input |
US8214497B2 (en) | 2007-01-24 | 2012-07-03 | Mcafee, Inc. | Multi-dimensional reputation scoring |
US7779156B2 (en) | 2007-01-24 | 2010-08-17 | Mcafee, Inc. | Reputation based load balancing |
US8763114B2 (en) * | 2007-01-24 | 2014-06-24 | Mcafee, Inc. | Detecting image spam |
US8356076B1 (en) | 2007-01-30 | 2013-01-15 | Proofpoint, Inc. | Apparatus and method for performing spam detection and filtering using an image history table |
US7716297B1 (en) | 2007-01-30 | 2010-05-11 | Proofpoint, Inc. | Message stream analysis for spam detection and filtering |
US7849193B1 (en) | 2007-02-01 | 2010-12-07 | Adobe Systems Incorporated | Multiple hyperlinks in a uniform resource locator |
US20080201722A1 (en) * | 2007-02-20 | 2008-08-21 | Gurusamy Sarathy | Method and System For Unsafe Content Tracking |
US8291021B2 (en) * | 2007-02-26 | 2012-10-16 | Red Hat, Inc. | Graphical spam detection and filtering |
US8595204B2 (en) * | 2007-03-05 | 2013-11-26 | Microsoft Corporation | Spam score propagation for web spam detection |
US8756673B2 (en) | 2007-03-30 | 2014-06-17 | Ricoh Company, Ltd. | Techniques for sharing data |
US20080243702A1 (en) * | 2007-03-30 | 2008-10-02 | Ricoh Company, Ltd. | Tokens Usable in Value-Based Transactions |
US20080250106A1 (en) * | 2007-04-03 | 2008-10-09 | George Leslie Rugg | Use of Acceptance Methods for Accepting Email and Messages |
US7861260B2 (en) | 2007-04-17 | 2010-12-28 | Almondnet, Inc. | Targeted television advertisements based on online behavior |
US8725597B2 (en) * | 2007-04-25 | 2014-05-13 | Google Inc. | Merchant scoring system and transactional database |
US8621008B2 (en) | 2007-04-26 | 2013-12-31 | Mcafee, Inc. | System, method and computer program product for performing an action based on an aspect of an electronic mail message thread |
US20080270549A1 (en) * | 2007-04-26 | 2008-10-30 | Microsoft Corporation | Extracting link spam using random walks and spam seeds |
GB0709527D0 (en) | 2007-05-18 | 2007-06-27 | Surfcontrol Plc | Electronic messaging system, message processing apparatus and message processing method |
US9083556B2 (en) * | 2007-05-31 | 2015-07-14 | Rpx Clearinghouse Llc | System and method for detectng malicious mail from spam zombies |
US7693806B2 (en) * | 2007-06-21 | 2010-04-06 | Microsoft Corporation | Classification using a cascade approach |
US8856360B2 (en) * | 2007-06-22 | 2014-10-07 | Microsoft Corporation | Automatically identifying dynamic internet protocol addresses |
US7899870B2 (en) * | 2007-06-25 | 2011-03-01 | Microsoft Corporation | Determination of participation in a malicious software campaign |
US7882177B2 (en) * | 2007-08-06 | 2011-02-01 | Yahoo! Inc. | Employing pixel density to detect a spam image |
US8199965B1 (en) | 2007-08-17 | 2012-06-12 | Mcafee, Inc. | System, method, and computer program product for preventing image-related data loss |
US20090063481A1 (en) * | 2007-08-31 | 2009-03-05 | Faus Norman L | Systems and methods for developing features for a product |
US20130276061A1 (en) | 2007-09-05 | 2013-10-17 | Gopi Krishna Chebiyyam | System, method, and computer program product for preventing access to data with respect to a data access attempt associated with a remote data sharing session |
US8117223B2 (en) | 2007-09-07 | 2012-02-14 | Google Inc. | Integrating external related phrase information into a phrase-based indexing information retrieval system |
DE102007045909A1 (en) * | 2007-09-26 | 2009-08-06 | T-Mobile Internationale Ag | Method for protection against viruses / spam in mobile networks |
US20090089859A1 (en) * | 2007-09-28 | 2009-04-02 | Cook Debra L | Method and apparatus for detecting phishing attempts solicited by electronic mail |
US8446607B2 (en) * | 2007-10-01 | 2013-05-21 | Mcafee, Inc. | Method and system for policy based monitoring and blocking of printing activities on local and network printers |
US8185930B2 (en) | 2007-11-06 | 2012-05-22 | Mcafee, Inc. | Adjusting filter or classification control settings |
CN101163161B (en) * | 2007-11-07 | 2012-02-29 | 福建星网锐捷网络有限公司 | United resource localizer address filtering method and intermediate transmission equipment |
US8479284B1 (en) * | 2007-12-20 | 2013-07-02 | Symantec Corporation | Referrer context identification for remote object links |
JP2009157510A (en) * | 2007-12-25 | 2009-07-16 | Nec Corp | System, method and program for identifying spam information |
US8503302B2 (en) * | 2007-12-31 | 2013-08-06 | Telecom Italia S.P.A. | Method of detecting anomalies in a communication system using numerical packet features |
EP2227889B1 (en) * | 2007-12-31 | 2011-07-13 | Telecom Italia S.p.A. | Method of detecting anomalies in a communication system using symbolic packet features |
US20090171906A1 (en) * | 2008-01-02 | 2009-07-02 | Research In Motion Limited | System and method for providing information relating to an email being provided to an electronic device |
US20090216875A1 (en) * | 2008-02-26 | 2009-08-27 | Barracuda Inc. | Filtering secure network messages without cryptographic processes method |
US8370930B2 (en) * | 2008-02-28 | 2013-02-05 | Microsoft Corporation | Detecting spam from metafeatures of an email message |
US20090228438A1 (en) * | 2008-03-07 | 2009-09-10 | Anirban Dasgupta | Method and Apparatus for Identifying if Two Websites are Co-Owned |
US8107670B2 (en) * | 2008-03-11 | 2012-01-31 | Symantec Corporation | Scanning images for pornography |
US7996900B2 (en) | 2008-03-14 | 2011-08-09 | Microsoft Corporation | Time travelling email messages after delivery |
US8893285B2 (en) | 2008-03-14 | 2014-11-18 | Mcafee, Inc. | Securing data using integrated host-based data loss agent with encryption detection |
US20090240670A1 (en) * | 2008-03-20 | 2009-09-24 | Yahoo! Inc. | Uniform resource identifier alignment |
US8745731B2 (en) * | 2008-04-03 | 2014-06-03 | Microsoft Corporation | Clustering botnet behavior using parameterized models |
US8589503B2 (en) | 2008-04-04 | 2013-11-19 | Mcafee, Inc. | Prioritizing network traffic |
US8108323B2 (en) * | 2008-05-19 | 2012-01-31 | Yahoo! Inc. | Distributed spam filtering utilizing a plurality of global classifiers and a local classifier |
JP5324824B2 (en) * | 2008-05-27 | 2013-10-23 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Information processing apparatus, information processing system, information processing method, and program for classifying network nodes |
US8291054B2 (en) | 2008-05-27 | 2012-10-16 | International Business Machines Corporation | Information processing system, method and program for classifying network nodes |
US20090300012A1 (en) * | 2008-05-28 | 2009-12-03 | Barracuda Inc. | Multilevel intent analysis method for email filtration |
US20090300127A1 (en) * | 2008-06-03 | 2009-12-03 | Qiang Du | E-mail forwarding method and system |
JP5209114B2 (en) | 2008-06-25 | 2013-06-12 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | Service brokering using domain name servers |
US20090327849A1 (en) * | 2008-06-27 | 2009-12-31 | Microsoft Corporation | Link Classification and Filtering |
CA2729158A1 (en) | 2008-06-30 | 2010-01-07 | Websense, Inc. | System and method for dynamic and real-time categorization of webpages |
US20100011420A1 (en) * | 2008-07-02 | 2010-01-14 | Barracuda Networks Inc. | Operating a service on a network as a domain name system server |
US8219644B2 (en) * | 2008-07-03 | 2012-07-10 | Barracuda Networks, Inc. | Requesting a service or transmitting content as a domain name system resolver |
US9077684B1 (en) | 2008-08-06 | 2015-07-07 | Mcafee, Inc. | System, method, and computer program product for determining whether an electronic mail message is compliant with an etiquette policy |
US10027688B2 (en) * | 2008-08-11 | 2018-07-17 | Damballa, Inc. | Method and system for detecting malicious and/or botnet-related domain names |
US20100042687A1 (en) * | 2008-08-12 | 2010-02-18 | Yahoo! Inc. | System and method for combating phishing |
US7818686B2 (en) | 2008-09-04 | 2010-10-19 | International Business Machines Corporation | System and method for accelerated web page navigation using keyboard accelerators in a data processing system |
US8868663B2 (en) * | 2008-09-19 | 2014-10-21 | Yahoo! Inc. | Detection of outbound sending of spam |
US20100082749A1 (en) * | 2008-09-26 | 2010-04-01 | Yahoo! Inc | Retrospective spam filtering |
CN101364955B (en) * | 2008-09-28 | 2010-10-20 | 杭州电子科技大学 | Method for analyzing and extracting evidence of e-mail customer terminal |
US9070116B2 (en) * | 2008-10-09 | 2015-06-30 | At&T Mobility Ii Llc | On-demand spam reporting |
JP5366504B2 (en) * | 2008-11-05 | 2013-12-11 | Kddi株式会社 | Mail receiving server, spam mail receiving method and program |
US8364765B2 (en) * | 2008-11-13 | 2013-01-29 | International Business Machines Corporation | Prioritizing electronic messages based upon geographical location of the recipient |
US8447856B2 (en) * | 2008-11-25 | 2013-05-21 | Barracuda Networks, Inc. | Policy-managed DNS server for to control network traffic |
US20100174829A1 (en) * | 2009-01-06 | 2010-07-08 | Barracuda Networks, Inc | Apparatus for to provide content to and query a reverse domain name system server |
US20100229236A1 (en) * | 2009-02-08 | 2010-09-09 | Rybak Michal Andrzej | Method and system for spam reporting with a message portion |
US8631080B2 (en) * | 2009-03-12 | 2014-01-14 | Microsoft Corporation | Email characterization |
US8166104B2 (en) * | 2009-03-19 | 2012-04-24 | Microsoft Corporation | Client-centered usage classification |
US9112850B1 (en) | 2009-03-25 | 2015-08-18 | The 41St Parameter, Inc. | Systems and methods of sharing information through a tag-based consortium |
US20100257035A1 (en) * | 2009-04-07 | 2010-10-07 | Microsoft Corporation | Embedded content brokering and advertisement selection delegation |
US20100262547A1 (en) * | 2009-04-14 | 2010-10-14 | Microsoft Corporation | User information brokering |
US20100281224A1 (en) * | 2009-05-01 | 2010-11-04 | International Buisness Machines Corporation | Prefetching content from incoming messages |
EP2443580A1 (en) | 2009-05-26 | 2012-04-25 | Websense, Inc. | Systems and methods for efficeint detection of fingerprinted data and information |
US8549627B2 (en) * | 2009-06-13 | 2013-10-01 | Microsoft Corporation | Detection of objectionable videos |
US8925087B1 (en) * | 2009-06-19 | 2014-12-30 | Trend Micro Incorporated | Apparatus and methods for in-the-cloud identification of spam and/or malware |
US8959157B2 (en) * | 2009-06-26 | 2015-02-17 | Microsoft Corporation | Real-time spam look-up system |
JP2011034416A (en) * | 2009-08-04 | 2011-02-17 | Kddi Corp | Device, method and program for classifying electronic mail |
JP2011034417A (en) * | 2009-08-04 | 2011-02-17 | Kddi Corp | Device, method and program for determining junk mail |
CN102045667A (en) * | 2009-10-23 | 2011-05-04 | 中兴通讯股份有限公司 | Implementation method and system for preventing email spam |
US8654655B2 (en) * | 2009-12-17 | 2014-02-18 | Thomson Licensing | Detecting and classifying anomalies in communication networks |
US8578497B2 (en) | 2010-01-06 | 2013-11-05 | Damballa, Inc. | Method and system for detecting malware |
US8826438B2 (en) | 2010-01-19 | 2014-09-02 | Damballa, Inc. | Method and system for network-based detecting of malware from behavioral clustering |
US8316094B1 (en) * | 2010-01-21 | 2012-11-20 | Symantec Corporation | Systems and methods for identifying spam mailing lists |
US9838349B2 (en) | 2010-03-08 | 2017-12-05 | Microsoft Technology Licensing, Llc | Zone classification of electronic mail messages |
US20110225076A1 (en) * | 2010-03-09 | 2011-09-15 | Google Inc. | Method and system for detecting fraudulent internet merchants |
US9652802B1 (en) | 2010-03-24 | 2017-05-16 | Consumerinfo.Com, Inc. | Indirect monitoring and reporting of a user's credit data |
US9634993B2 (en) * | 2010-04-01 | 2017-04-25 | Cloudflare, Inc. | Internet-based proxy service to modify internet responses |
US9049247B2 (en) | 2010-04-01 | 2015-06-02 | Cloudfare, Inc. | Internet-based proxy service for responding to server offline errors |
US8086684B2 (en) | 2010-04-20 | 2011-12-27 | The Go Daddy Group, Inc. | Detecting and mitigating undeliverable email |
US8621638B2 (en) | 2010-05-14 | 2013-12-31 | Mcafee, Inc. | Systems and methods for classification of messaging entities |
US20110289434A1 (en) * | 2010-05-20 | 2011-11-24 | Barracuda Networks, Inc. | Certified URL checking, caching, and categorization service |
US8707420B2 (en) | 2010-05-21 | 2014-04-22 | Microsoft Corporation | Trusted e-mail communication in a multi-tenant environment |
US9813367B2 (en) * | 2010-07-16 | 2017-11-07 | Firstwave Technology Pty Ltd | Methods and systems for analysis and/or classification of information |
US9516058B2 (en) | 2010-08-10 | 2016-12-06 | Damballa, Inc. | Method and system for determining whether domain names are legitimate or malicious |
US9083669B2 (en) | 2010-09-10 | 2015-07-14 | Blackberry Limited | System and method for providing plurality of prioritized email domain names |
US8498998B2 (en) * | 2010-10-11 | 2013-07-30 | International Business Machines Corporation | Grouping identity records to generate candidate lists to use in an entity and relationship resolution process |
US9148432B2 (en) * | 2010-10-12 | 2015-09-29 | Microsoft Technology Licensing, Llc | Range weighted internet protocol address blacklist |
US8396876B2 (en) | 2010-11-30 | 2013-03-12 | Yahoo! Inc. | Identifying reliable and authoritative sources of multimedia content |
US8695092B2 (en) | 2010-12-06 | 2014-04-08 | Microsoft Corporation | Host IP reputation |
US8885931B2 (en) * | 2011-01-26 | 2014-11-11 | Microsoft Corporation | Mitigating use of machine solvable HIPs |
US8631489B2 (en) | 2011-02-01 | 2014-01-14 | Damballa, Inc. | Method and system for detecting malicious domain names at an upper DNS hierarchy |
US9461878B1 (en) | 2011-02-01 | 2016-10-04 | Palo Alto Networks, Inc. | Blocking download of content |
US8554907B1 (en) * | 2011-02-15 | 2013-10-08 | Trend Micro, Inc. | Reputation prediction of IP addresses |
EP2676197B1 (en) | 2011-02-18 | 2018-11-28 | CSidentity Corporation | System and methods for identifying compromised personally identifiable information on the internet |
US8626856B2 (en) * | 2011-04-11 | 2014-01-07 | Microsoft Corporation | Geo-data spam filter |
RU2453916C1 (en) * | 2011-05-05 | 2012-06-20 | Игорь Викторович Лебедев | Information resource search method using readdressing |
US9117074B2 (en) | 2011-05-18 | 2015-08-25 | Microsoft Technology Licensing, Llc | Detecting a compromised online user account |
US8285808B1 (en) | 2011-05-20 | 2012-10-09 | Cloudflare, Inc. | Loading of web resources |
US8621556B1 (en) * | 2011-05-25 | 2013-12-31 | Palo Alto Networks, Inc. | Dynamic resolution of fully qualified domain name (FQDN) address objects in policy definitions |
US9087324B2 (en) | 2011-07-12 | 2015-07-21 | Microsoft Technology Licensing, Llc | Message categorization |
US9065826B2 (en) | 2011-08-08 | 2015-06-23 | Microsoft Technology Licensing, Llc | Identifying application reputation based on resource accesses |
US9442881B1 (en) | 2011-08-31 | 2016-09-13 | Yahoo! Inc. | Anti-spam transient entity classification |
US11030562B1 (en) | 2011-10-31 | 2021-06-08 | Consumerinfo.Com, Inc. | Pre-data breach monitoring |
US10754913B2 (en) | 2011-11-15 | 2020-08-25 | Tapad, Inc. | System and method for analyzing user device information |
US8954492B1 (en) * | 2011-11-30 | 2015-02-10 | F5 Networks, Inc. | Methods for inlining content externally referenced in a web page prior to providing the web page to a requestor and devices thereof |
KR101253616B1 (en) * | 2011-12-09 | 2013-04-11 | 한국인터넷진흥원 | Apparatus and method for tracking network path |
US9633201B1 (en) | 2012-03-01 | 2017-04-25 | The 41St Parameter, Inc. | Methods and systems for fraud containment |
US8819227B1 (en) * | 2012-03-19 | 2014-08-26 | Narus, Inc. | Discerning web content and services based on real-time DNS tagging |
US9521551B2 (en) | 2012-03-22 | 2016-12-13 | The 41St Parameter, Inc. | Methods and systems for persistent cross-application mobile device identification |
TWI478561B (en) * | 2012-04-05 | 2015-03-21 | Inst Information Industry | Domain tracing method and system and computer-readable storage medium storing the method |
US8396935B1 (en) * | 2012-04-10 | 2013-03-12 | Google Inc. | Discovering spam merchants using product feed similarity |
WO2014022813A1 (en) | 2012-08-02 | 2014-02-06 | The 41St Parameter, Inc. | Systems and methods for accessing records via derivative locators |
US10547674B2 (en) | 2012-08-27 | 2020-01-28 | Help/Systems, Llc | Methods and systems for network flow analysis |
US9680861B2 (en) | 2012-08-31 | 2017-06-13 | Damballa, Inc. | Historical analysis to identify malicious activity |
US9166994B2 (en) | 2012-08-31 | 2015-10-20 | Damballa, Inc. | Automation discovery to identify malicious activity |
US10084806B2 (en) | 2012-08-31 | 2018-09-25 | Damballa, Inc. | Traffic simulation to identify malicious activity |
US9894088B2 (en) | 2012-08-31 | 2018-02-13 | Damballa, Inc. | Data mining to identify malicious activity |
US8667074B1 (en) * | 2012-09-11 | 2014-03-04 | Bradford L. Farkas | Systems and methods for email tracking and email spam reduction using dynamic email addressing schemes |
US8898272B1 (en) | 2012-10-02 | 2014-11-25 | Amazon Technologies, Inc. | Identifying information in resource locators |
US9326218B2 (en) * | 2012-11-02 | 2016-04-26 | Telefonaktiebolaget L M Ericsson (Publ) | Base-station-to-base-station gateway and related devices, methods, and systems |
WO2014078569A1 (en) | 2012-11-14 | 2014-05-22 | The 41St Parameter, Inc. | Systems and methods of global identification |
US9241259B2 (en) | 2012-11-30 | 2016-01-19 | Websense, Inc. | Method and apparatus for managing the transfer of sensitive information to mobile devices |
US9531736B1 (en) * | 2012-12-24 | 2016-12-27 | Narus, Inc. | Detecting malicious HTTP redirections using user browsing activity trees |
US9027128B1 (en) * | 2013-02-07 | 2015-05-05 | Trend Micro Incorporated | Automatic identification of malicious budget codes and compromised websites that are employed in phishing attacks |
US8812387B1 (en) | 2013-03-14 | 2014-08-19 | Csidentity Corporation | System and method for identifying related credit inquiries |
CN103179024B (en) * | 2013-03-18 | 2016-01-20 | 北京二六三企业通信有限公司 | Mail filtering method and device |
CN103198396A (en) * | 2013-03-28 | 2013-07-10 | 南通大学 | Mail classification method based on social network behavior characteristics |
US9571511B2 (en) | 2013-06-14 | 2017-02-14 | Damballa, Inc. | Systems and methods for traffic classification |
ITTO20130513A1 (en) * | 2013-06-21 | 2014-12-22 | Sisvel Technology Srl | SYSTEM AND METHOD FOR FILTERING ELECTRONIC MESSAGES |
US9811830B2 (en) | 2013-07-03 | 2017-11-07 | Google Inc. | Method, medium, and system for online fraud prevention based on user physical location data |
US9258260B2 (en) | 2013-08-19 | 2016-02-09 | Microsoft Technology Licensing, Llc | Filtering electronic messages based on domain attributes without reputation |
US10902327B1 (en) | 2013-08-30 | 2021-01-26 | The 41St Parameter, Inc. | System and method for device identification and uniqueness |
RU2595533C2 (en) * | 2013-10-02 | 2016-08-27 | Общество С Ограниченной Ответственностью "Яндекс" | System for displaying mail attachments on web mail page |
CN104601736B (en) * | 2013-10-30 | 2018-10-23 | 腾讯科技(深圳)有限公司 | A kind of implementation method and device of short URL services |
US9239737B2 (en) | 2013-11-15 | 2016-01-19 | Sap Se | Concise resource addressing |
CN103634422B (en) * | 2013-11-29 | 2017-03-08 | 北京奇安信科技有限公司 | A kind of IP address recognition methodss of CDN source station and device |
US11568280B1 (en) * | 2019-01-23 | 2023-01-31 | Amdocs Development Limited | System, method, and computer program for parental controls and recommendations based on artificial intelligence |
US10778618B2 (en) * | 2014-01-09 | 2020-09-15 | Oath Inc. | Method and system for classifying man vs. machine generated e-mail |
KR101561289B1 (en) | 2014-03-13 | 2015-10-16 | (주)코리아센터닷컴 | Message editing apparatus |
WO2015137249A1 (en) * | 2014-03-13 | 2015-09-17 | 日本電信電話株式会社 | Monitoring device, monitoring method, and monitoring program |
US10079791B2 (en) * | 2014-03-14 | 2018-09-18 | Xpedite Systems, Llc | Systems and methods for domain- and auto-registration |
US10896421B2 (en) | 2014-04-02 | 2021-01-19 | Brighterion, Inc. | Smart retail analytics and commercial messaging |
US20180053114A1 (en) | 2014-10-23 | 2018-02-22 | Brighterion, Inc. | Artificial intelligence for context classifier |
US9928465B2 (en) | 2014-05-20 | 2018-03-27 | Oath Inc. | Machine learning and validation of account names, addresses, and/or identifiers |
US10078750B1 (en) | 2014-06-13 | 2018-09-18 | Trend Micro Incorporated | Methods and systems for finding compromised social networking accounts |
US10027702B1 (en) | 2014-06-13 | 2018-07-17 | Trend Micro Incorporated | Identification of malicious shortened uniform resource locators |
US9571452B2 (en) * | 2014-07-01 | 2017-02-14 | Sophos Limited | Deploying a security policy based on domain names |
US11838851B1 (en) | 2014-07-15 | 2023-12-05 | F5, Inc. | Methods for managing L7 traffic classification and devices thereof |
US20150066771A1 (en) | 2014-08-08 | 2015-03-05 | Brighterion, Inc. | Fast access vectors in real-time behavioral profiling |
US20160055427A1 (en) | 2014-10-15 | 2016-02-25 | Brighterion, Inc. | Method for providing data science, artificial intelligence and machine learning as-a-service |
US9280661B2 (en) | 2014-08-08 | 2016-03-08 | Brighterion, Inc. | System administrator behavior analysis |
US20150032589A1 (en) | 2014-08-08 | 2015-01-29 | Brighterion, Inc. | Artificial intelligence fraud management solution |
US20150339673A1 (en) | 2014-10-28 | 2015-11-26 | Brighterion, Inc. | Method for detecting merchant data breaches with a computer network server |
US10198579B2 (en) | 2014-08-22 | 2019-02-05 | Mcafee, Llc | System and method to detect domain generation algorithm malware and systems infected by such malware |
US9560074B2 (en) * | 2014-10-07 | 2017-01-31 | Cloudmark, Inc. | Systems and methods of identifying suspicious hostnames |
US10091312B1 (en) | 2014-10-14 | 2018-10-02 | The 41St Parameter, Inc. | Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups |
US11080709B2 (en) | 2014-10-15 | 2021-08-03 | Brighterion, Inc. | Method of reducing financial losses in multiple payment channels upon a recognition of fraud first appearing in any one payment channel |
US20160071017A1 (en) | 2014-10-15 | 2016-03-10 | Brighterion, Inc. | Method of operating artificial intelligence machines to improve predictive model training and performance |
US20160078367A1 (en) | 2014-10-15 | 2016-03-17 | Brighterion, Inc. | Data clean-up method for improving predictive model training |
US20160063502A1 (en) | 2014-10-15 | 2016-03-03 | Brighterion, Inc. | Method for improving operating profits with better automated decision making with artificial intelligence |
US10546099B2 (en) | 2014-10-15 | 2020-01-28 | Brighterion, Inc. | Method of personalizing, individualizing, and automating the management of healthcare fraud-waste-abuse to unique individual healthcare providers |
US10290001B2 (en) | 2014-10-28 | 2019-05-14 | Brighterion, Inc. | Data breach detection |
US10339527B1 (en) | 2014-10-31 | 2019-07-02 | Experian Information Solutions, Inc. | System and architecture for electronic fraud detection |
TWI544764B (en) | 2014-11-17 | 2016-08-01 | 緯創資通股份有限公司 | Method for identifying spam mail and mail server using the same |
RU2580424C1 (en) | 2014-11-28 | 2016-04-10 | Общество С Ограниченной Ответственностью "Яндекс" | Method of detecting insignificant lexical items in text messages and computer |
US10182013B1 (en) | 2014-12-01 | 2019-01-15 | F5 Networks, Inc. | Methods for managing progressive image delivery and devices thereof |
US20200067861A1 (en) * | 2014-12-09 | 2020-02-27 | ZapFraud, Inc. | Scam evaluation system |
US11895138B1 (en) | 2015-02-02 | 2024-02-06 | F5, Inc. | Methods for improving web scanner accuracy and devices thereof |
US10701085B2 (en) * | 2015-03-05 | 2020-06-30 | Nippon Telegraph And Telephone Corporation | Communication partner malignancy calculation device, communication partner malignancy calculation method, and communication partner malignancy calculation program |
US9930065B2 (en) | 2015-03-25 | 2018-03-27 | University Of Georgia Research Foundation, Inc. | Measuring, categorizing, and/or mitigating malware distribution paths |
US9736185B1 (en) | 2015-04-21 | 2017-08-15 | Infoblox Inc. | DNS or network metadata policy for network control |
US9521157B1 (en) * | 2015-06-24 | 2016-12-13 | Bank Of America Corporation | Identifying and assessing malicious resources |
US11151468B1 (en) | 2015-07-02 | 2021-10-19 | Experian Information Solutions, Inc. | Behavior analysis using distributed representations of event data |
US10671915B2 (en) | 2015-07-31 | 2020-06-02 | Brighterion, Inc. | Method for calling for preemptive maintenance and for equipment failure prevention |
US9762542B2 (en) * | 2015-08-04 | 2017-09-12 | Farsight Security, Inc. | Parallel detection of updates to a domain name system record system using a common filter |
US10057198B1 (en) | 2015-11-05 | 2018-08-21 | Trend Micro Incorporated | Controlling social network usage in enterprise environments |
US10305839B2 (en) * | 2015-11-17 | 2019-05-28 | Clover Leaf Environmental Solutions, Inc. | Electronic information system enabling email-based transactions with forms |
US11856260B2 (en) * | 2016-03-30 | 2023-12-26 | Covenant Eyes, Inc. | Applications, systems and methods to monitor, filter and/or alter output of a computing device |
CN107294834A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for recognizing spam |
CN105912674A (en) * | 2016-04-13 | 2016-08-31 | 精硕世纪科技(北京)有限公司 | Method, device and system for noise reduction and classification of data |
CN106028297B (en) * | 2016-04-28 | 2019-11-08 | 北京小米移动软件有限公司 | Carry the SMS processing method and device of network address |
US10397256B2 (en) * | 2016-06-13 | 2019-08-27 | Microsoft Technology Licensing, Llc | Spam classification system based on network flow data |
US10313348B2 (en) * | 2016-09-19 | 2019-06-04 | Fortinet, Inc. | Document classification by a hybrid classifier |
EP3297221B1 (en) * | 2016-09-19 | 2018-11-14 | retarus GmbH | Technique for detecting suspicious electronic messages |
US10346223B1 (en) * | 2016-11-23 | 2019-07-09 | Google Llc | Selective obfuscation of notifications |
US10284579B2 (en) * | 2017-03-22 | 2019-05-07 | Vade Secure, Inc. | Detection of email spoofing and spear phishing attacks |
EP3389237B1 (en) * | 2017-04-10 | 2019-04-03 | ise Individuelle Software und Elektronik GmbH | Method, device, computer-readable medium, and system for establishing links between a client and a target or end device |
US11757914B1 (en) * | 2017-06-07 | 2023-09-12 | Agari Data, Inc. | Automated responsive message to determine a security risk of a message sender |
US10805259B2 (en) | 2017-06-30 | 2020-10-13 | Microsoft Technology Licensing, Llc | Geolocation using reverse domain name server information |
CN109218162B (en) * | 2017-07-05 | 2021-04-27 | 北京二六三企业通信有限公司 | Mail delivery method and device |
US10708297B2 (en) | 2017-08-25 | 2020-07-07 | Ecrime Management Strategies, Inc. | Security system for detection and mitigation of malicious communications |
US10891373B2 (en) * | 2017-08-31 | 2021-01-12 | Micro Focus Llc | Quarantining electronic messages based on relationships among associated addresses |
US10778717B2 (en) | 2017-08-31 | 2020-09-15 | Barracuda Networks, Inc. | System and method for email account takeover detection and remediation |
US11563757B2 (en) | 2017-08-31 | 2023-01-24 | Barracuda Networks, Inc. | System and method for email account takeover detection and remediation utilizing AI models |
US11665195B2 (en) | 2017-08-31 | 2023-05-30 | Barracuda Networks, Inc. | System and method for email account takeover detection and remediation utilizing anonymized datasets |
US20210092139A1 (en) * | 2017-09-14 | 2021-03-25 | Mitsubishi Electric Corporation | Email inspection device, email inspection method, and computer readable medium |
US10699028B1 (en) | 2017-09-28 | 2020-06-30 | Csidentity Corporation | Identity security architecture systems and methods |
US10896472B1 (en) | 2017-11-14 | 2021-01-19 | Csidentity Corporation | Security and identity verification system and architecture |
RU2672616C1 (en) * | 2017-11-22 | 2018-11-16 | Акционерное общество "МаксимаТелеком" | Complex and method for preventing the advertising content blocking |
US11044213B2 (en) * | 2017-12-19 | 2021-06-22 | Nice Ltd. | Systems and methods for invisible identification of agents participating in on-line communication sessions |
US20190342297A1 (en) | 2018-05-01 | 2019-11-07 | Brighterion, Inc. | Securing internet-of-things with smart-agent technology |
EP3614280A1 (en) * | 2018-08-20 | 2020-02-26 | Siemens Aktiengesellschaft | Determining a result of a uniform resource identifier, uri, character string |
US10965691B1 (en) * | 2018-09-28 | 2021-03-30 | Verizon Media Inc. | Systems and methods for establishing sender-level trust in communications using sender-recipient pair data |
US11824870B2 (en) | 2018-12-19 | 2023-11-21 | Abnormal Security Corporation | Threat detection platforms for detecting, characterizing, and remediating email-based threats in real time |
US11431738B2 (en) | 2018-12-19 | 2022-08-30 | Abnormal Security Corporation | Multistage analysis of emails to identify security threats |
US11050793B2 (en) | 2018-12-19 | 2021-06-29 | Abnormal Security Corporation | Retrospective learning of communication patterns by machine learning models for discovering abnormal behavior |
US10686826B1 (en) | 2019-03-28 | 2020-06-16 | Vade Secure Inc. | Optical scanning parameters computation methods, devices and systems for malicious URL detection |
EP3715987A1 (en) * | 2019-03-29 | 2020-09-30 | Siemens Aktiengesellschaft | Method and system for managing messages in an automation system |
JP2022542634A (en) * | 2019-08-07 | 2022-10-06 | アクシオム エルエルシー | Systems and methods for ethical collection of data |
US11710137B2 (en) | 2019-08-23 | 2023-07-25 | Yandex Europe Ag | Method and system for identifying electronic devices of genuine customers of organizations |
US11411919B2 (en) | 2019-10-01 | 2022-08-09 | EXFO Solutions SAS | Deep packet inspection application classification systems and methods |
CN111046283A (en) * | 2019-12-04 | 2020-04-21 | 深圳前海微众银行股份有限公司 | Feature selection method, device, equipment and storage medium |
RU2752241C2 (en) | 2019-12-25 | 2021-07-23 | Общество С Ограниченной Ответственностью «Яндекс» | Method and system for identifying malicious activity of predetermined type in local network |
US11050879B1 (en) * | 2019-12-31 | 2021-06-29 | First Orion Corp. | Call traffic data monitoring and management |
CN110874531B (en) * | 2020-01-20 | 2020-07-10 | 湖南蚁坊软件股份有限公司 | Topic analysis method and device and storage medium |
US11784948B2 (en) * | 2020-01-29 | 2023-10-10 | International Business Machines Corporation | Cognitive determination of message suitability |
US11470042B2 (en) | 2020-02-21 | 2022-10-11 | Abnormal Security Corporation | Discovering email account compromise through assessments of digital activities |
US11252189B2 (en) | 2020-03-02 | 2022-02-15 | Abnormal Security Corporation | Abuse mailbox for facilitating discovery, investigation, and analysis of email-based threats |
US11790060B2 (en) | 2020-03-02 | 2023-10-17 | Abnormal Security Corporation | Multichannel threat detection for protecting against account compromise |
US10945051B1 (en) | 2020-04-06 | 2021-03-09 | Bank Of America Corporation | System and method for intentionally distorting digital media to reduce the accuracy of generative machine learning algorithms |
US11470108B2 (en) | 2020-04-23 | 2022-10-11 | Abnormal Security Corporation | Detection and prevention of external fraud |
US11108714B1 (en) * | 2020-07-29 | 2021-08-31 | Vmware, Inc. | Integration of an email client with hosted applications |
KR102527260B1 (en) * | 2020-09-15 | 2023-04-27 | 주식회사 카카오 | Method and System for determining a Spam URL |
US11563659B2 (en) | 2020-10-13 | 2023-01-24 | Vmware, Inc. | Edge alert coordinator for mobile devices |
US11528242B2 (en) * | 2020-10-23 | 2022-12-13 | Abnormal Security Corporation | Discovering graymail through real-time analysis of incoming email |
US11687648B2 (en) | 2020-12-10 | 2023-06-27 | Abnormal Security Corporation | Deriving and surfacing insights regarding security threats |
CN112733898A (en) * | 2020-12-30 | 2021-04-30 | 光通天下网络科技股份有限公司 | Data identification method and device based on characteristic weight, electronic equipment and medium |
US11882131B1 (en) * | 2020-12-31 | 2024-01-23 | Proofpoint, Inc. | Systems and methods for prioritizing URL review for sandboxing based on accelerated velocities of URL features in network traffic |
US11277375B1 (en) * | 2021-01-04 | 2022-03-15 | Saudi Arabian Oil Company | Sender policy framework (SPF) configuration validator and security examinator |
US11570149B2 (en) | 2021-03-30 | 2023-01-31 | Palo Alto Networks, Inc. | Feedback mechanism to enforce a security policy |
US11831661B2 (en) | 2021-06-03 | 2023-11-28 | Abnormal Security Corporation | Multi-tiered approach to payload detection for incoming communications |
US11829423B2 (en) * | 2021-06-25 | 2023-11-28 | Microsoft Technology Licensing, Llc | Determining that a resource is spam based upon a uniform resource locator of the webpage |
TWI774582B (en) | 2021-10-13 | 2022-08-11 | 財團法人工業技術研究院 | Detection device and detection method for malicious http request |
WO2023096964A1 (en) * | 2021-11-23 | 2023-06-01 | Insurance Services Office, Inc. | Systems and methods for automatic url identification from data |
US20230336571A1 (en) * | 2022-04-19 | 2023-10-19 | Akamai Technologies, Inc. | Real-time detection and prevention of online new-account creation fraud and abuse |
KR102472447B1 (en) * | 2022-06-13 | 2022-11-30 | (주)유알피시스템 | A system and method for automatically blocking specific content in complex documents using machine learning |
KR20240118315A (en) * | 2023-01-27 | 2024-08-05 | (주)기원테크 | A method and an appratus for mail security firewall |
Family Cites Families (153)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB8918553D0 (en) * | 1989-08-15 | 1989-09-27 | Digital Equipment Int | Message control system |
US5758257A (en) * | 1994-11-29 | 1998-05-26 | Herz; Frederick | System and method for scheduling broadcast of and access to video programs and other data using customer profiles |
US5619648A (en) | 1994-11-30 | 1997-04-08 | Lucent Technologies Inc. | Message filtering techniques |
US5638487A (en) * | 1994-12-30 | 1997-06-10 | Purespeech, Inc. | Automatic speech recognition |
CA2220491C (en) | 1995-05-08 | 2001-07-24 | Compuserve Incorporated | Rules based electronic message management system |
US5845077A (en) * | 1995-11-27 | 1998-12-01 | Microsoft Corporation | Method and system for identifying and obtaining computer software from a remote computer |
US6101531A (en) * | 1995-12-19 | 2000-08-08 | Motorola, Inc. | System for communicating user-selected criteria filter prepared at wireless client to communication server for filtering data transferred from host to said wireless client |
US5704017A (en) * | 1996-02-16 | 1997-12-30 | Microsoft Corporation | Collaborative filtering utilizing a belief network |
US5884033A (en) * | 1996-05-15 | 1999-03-16 | Spyglass, Inc. | Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions |
US6151643A (en) | 1996-06-07 | 2000-11-21 | Networks Associates, Inc. | Automatic updating of diverse software products on multiple client computer systems by downloading scanning application to client computer and generating software list on client computer |
US6453327B1 (en) * | 1996-06-10 | 2002-09-17 | Sun Microsystems, Inc. | Method and apparatus for identifying and discarding junk electronic mail |
US6072942A (en) | 1996-09-18 | 2000-06-06 | Secure Computing Corporation | System and method of electronic mail filtering using interconnected nodes |
EP0837399B1 (en) * | 1996-10-15 | 2000-03-15 | STMicroelectronics S.r.l. | An electronic device for performing convolution operations |
US5805801A (en) * | 1997-01-09 | 1998-09-08 | International Business Machines Corporation | System and method for detecting and preventing security |
US5905859A (en) * | 1997-01-09 | 1999-05-18 | International Business Machines Corporation | Managed network device security method and apparatus |
US6122657A (en) | 1997-02-04 | 2000-09-19 | Networks Associates, Inc. | Internet computer system with methods for dynamic filtering of hypertext tags and content |
US6742047B1 (en) * | 1997-03-27 | 2004-05-25 | Intel Corporation | Method and apparatus for dynamically filtering network content |
DE69724235T2 (en) * | 1997-05-28 | 2004-02-26 | Siemens Ag | Computer system and software protection method |
US20050081059A1 (en) * | 1997-07-24 | 2005-04-14 | Bandini Jean-Christophe Denis | Method and system for e-mail filtering |
US7117358B2 (en) * | 1997-07-24 | 2006-10-03 | Tumbleweed Communications Corp. | Method and system for filtering communication |
US6199102B1 (en) * | 1997-08-26 | 2001-03-06 | Christopher Alan Cobb | Method and system for filtering electronic messages |
US6041324A (en) | 1997-11-17 | 2000-03-21 | International Business Machines Corporation | System and method for identifying valid portion of computer resource identifier |
RU2127959C1 (en) | 1997-11-17 | 1999-03-20 | Борис Семенович Пинскер | Method for clipping unwanted information in tv set program receiving mode and device which implements said method |
US6003027A (en) * | 1997-11-21 | 1999-12-14 | International Business Machines Corporation | System and method for determining confidence levels for the results of a categorization system |
US6393465B2 (en) * | 1997-11-25 | 2002-05-21 | Nixmail Corporation | Junk electronic mail detector and eliminator |
US6351740B1 (en) | 1997-12-01 | 2002-02-26 | The Board Of Trustees Of The Leland Stanford Junior University | Method and system for training dynamic nonlinear adaptive filters which have embedded memory |
US6023723A (en) * | 1997-12-22 | 2000-02-08 | Accepted Marketing, Inc. | Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms |
AU1907899A (en) * | 1997-12-22 | 1999-07-12 | Accepted Marketing, Inc. | E-mail filter and method thereof |
US6052709A (en) * | 1997-12-23 | 2000-04-18 | Bright Light Technologies, Inc. | Apparatus and method for controlling delivery of unsolicited electronic mail |
GB2334116A (en) * | 1998-02-04 | 1999-08-11 | Ibm | Scheduling and dispatching queued client requests within a server computer |
US6484261B1 (en) * | 1998-02-17 | 2002-11-19 | Cisco Technology, Inc. | Graphical network security policy management |
US6504941B2 (en) * | 1998-04-30 | 2003-01-07 | Hewlett-Packard Company | Method and apparatus for digital watermarking of images |
US6314421B1 (en) * | 1998-05-12 | 2001-11-06 | David M. Sharnoff | Method and apparatus for indexing documents for message filtering |
US6074942A (en) * | 1998-06-03 | 2000-06-13 | Worldwide Semiconductor Manufacturing Corporation | Method for forming a dual damascene contact and interconnect |
US6308273B1 (en) * | 1998-06-12 | 2001-10-23 | Microsoft Corporation | Method and system of security location discrimination |
US6161130A (en) * | 1998-06-23 | 2000-12-12 | Microsoft Corporation | Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set |
US6192360B1 (en) * | 1998-06-23 | 2001-02-20 | Microsoft Corporation | Methods and apparatus for classifying text and for building a text classifier |
US7275082B2 (en) * | 1998-07-15 | 2007-09-25 | Pang Stephen Y F | System for policing junk e-mail messages |
US6167434A (en) * | 1998-07-15 | 2000-12-26 | Pang; Stephen Y. | Computer code for removing junk e-mail messages |
US6112227A (en) * | 1998-08-06 | 2000-08-29 | Heiner; Jeffrey Nelson | Filter-in method for reducing junk e-mail |
US6434600B2 (en) * | 1998-09-15 | 2002-08-13 | Microsoft Corporation | Methods and systems for securely delivering electronic mail to hosts having dynamic IP addresses |
US6732273B1 (en) * | 1998-10-21 | 2004-05-04 | Lucent Technologies Inc. | Priority and security coding system for electronic mail messages |
GB2343529B (en) * | 1998-11-07 | 2003-06-11 | Ibm | Filtering incoming e-mail |
US6546416B1 (en) * | 1998-12-09 | 2003-04-08 | Infoseek Corporation | Method and system for selectively blocking delivery of bulk electronic mail |
US6643686B1 (en) * | 1998-12-18 | 2003-11-04 | At&T Corp. | System and method for counteracting message filtering |
US6615242B1 (en) * | 1998-12-28 | 2003-09-02 | At&T Corp. | Automatic uniform resource locator-based message filter |
US6654787B1 (en) | 1998-12-31 | 2003-11-25 | Brightmail, Incorporated | Method and apparatus for filtering e-mail |
US6266692B1 (en) * | 1999-01-04 | 2001-07-24 | International Business Machines Corporation | Method for blocking all unwanted e-mail (SPAM) using a header-based password |
US6330590B1 (en) * | 1999-01-05 | 2001-12-11 | William D. Cotten | Preventing delivery of unwanted bulk e-mail |
US6424997B1 (en) * | 1999-01-27 | 2002-07-23 | International Business Machines Corporation | Machine learning based electronic messaging system |
US6449634B1 (en) | 1999-01-29 | 2002-09-10 | Digital Impact, Inc. | Method and system for remotely sensing the file formats processed by an E-mail client |
US6477551B1 (en) * | 1999-02-16 | 2002-11-05 | International Business Machines Corporation | Interactive electronic messaging system |
US7032030B1 (en) | 1999-03-11 | 2006-04-18 | John David Codignotto | Message publishing system and method |
US6732149B1 (en) * | 1999-04-09 | 2004-05-04 | International Business Machines Corporation | System and method for hindering undesired transmission or receipt of electronic messages |
US6370526B1 (en) * | 1999-05-18 | 2002-04-09 | International Business Machines Corporation | Self-adaptive method and system for providing a user-preferred ranking order of object sets |
US6592627B1 (en) * | 1999-06-10 | 2003-07-15 | International Business Machines Corporation | System and method for organizing repositories of semi-structured documents such as email |
AU7080700A (en) * | 1999-09-01 | 2001-03-26 | Peter L. Katsikas | System for eliminating unauthorized electronic mail |
US6449636B1 (en) | 1999-09-08 | 2002-09-10 | Nortel Networks Limited | System and method for creating a dynamic data file from collected and filtered web pages |
US6321267B1 (en) * | 1999-11-23 | 2001-11-20 | Escom Corporation | Method and apparatus for filtering junk email |
US6728690B1 (en) * | 1999-11-23 | 2004-04-27 | Microsoft Corporation | Classification system trainer employing maximum margin back-propagation with probabilistic outputs |
US6915344B1 (en) * | 1999-11-30 | 2005-07-05 | Microsoft Corporation | Server stress-testing response verification |
US6633855B1 (en) * | 2000-01-06 | 2003-10-14 | International Business Machines Corporation | Method, system, and program for filtering content using neural networks |
US6701440B1 (en) * | 2000-01-06 | 2004-03-02 | Networks Associates Technology, Inc. | Method and system for protecting a computer using a remote e-mail scanning device |
US7822977B2 (en) | 2000-02-08 | 2010-10-26 | Katsikas Peter L | System for eliminating unauthorized electronic mail |
US6438584B1 (en) | 2000-03-07 | 2002-08-20 | Letter Services, Inc. | Automatic generation of graphically-composed correspondence via a text email-interface |
US6691156B1 (en) * | 2000-03-10 | 2004-02-10 | International Business Machines Corporation | Method for restricting delivery of unsolicited E-mail |
US6684201B1 (en) * | 2000-03-31 | 2004-01-27 | Microsoft Corporation | Linguistic disambiguation system and method using string-based pattern training to learn to resolve ambiguity sites |
US7210099B2 (en) * | 2000-06-12 | 2007-04-24 | Softview Llc | Resolution independent vector display of internet content |
US20040073617A1 (en) * | 2000-06-19 | 2004-04-15 | Milliken Walter Clark | Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail |
WO2001098936A2 (en) * | 2000-06-22 | 2001-12-27 | Microsoft Corporation | Distributed computing services platform |
US7003555B1 (en) * | 2000-06-23 | 2006-02-21 | Cloudshield Technologies, Inc. | Apparatus and method for domain name resolution |
US6779021B1 (en) * | 2000-07-28 | 2004-08-17 | International Business Machines Corporation | Method and system for predicting and managing undesirable electronic mail |
TW533702B (en) * | 2000-07-28 | 2003-05-21 | Wistron Corp | Network communication system and dynamic message routing method therefor |
US6842773B1 (en) * | 2000-08-24 | 2005-01-11 | Yahoo ! Inc. | Processing of textual electronic communication distributed in bulk |
US6971023B1 (en) * | 2000-10-03 | 2005-11-29 | Mcafee, Inc. | Authorizing an additional computer program module for use with a core computer program |
US6757830B1 (en) * | 2000-10-03 | 2004-06-29 | Networks Associates Technology, Inc. | Detecting unwanted properties in received email messages |
US6748422B2 (en) | 2000-10-19 | 2004-06-08 | Ebay Inc. | System and method to control sending of unsolicited communications relating to a plurality of listings in a network-based commerce facility |
US7243125B2 (en) * | 2000-12-08 | 2007-07-10 | Xerox Corporation | Method and apparatus for presenting e-mail threads as semi-connected text by removing redundant material |
JP3554271B2 (en) | 2000-12-13 | 2004-08-18 | パナソニック コミュニケーションズ株式会社 | Information communication equipment |
US6775704B1 (en) * | 2000-12-28 | 2004-08-10 | Networks Associates Technology, Inc. | System and method for preventing a spoofed remote procedure call denial of service attack in a networked computing environment |
US20050159136A1 (en) * | 2000-12-29 | 2005-07-21 | Andrew Rouse | System and method for providing wireless device access |
US20020129111A1 (en) | 2001-01-15 | 2002-09-12 | Cooper Gerald M. | Filtering unsolicited email |
US6941466B2 (en) * | 2001-02-22 | 2005-09-06 | International Business Machines Corporation | Method and apparatus for providing automatic e-mail filtering based on message semantics, sender's e-mail ID, and user's identity |
US20020124025A1 (en) | 2001-03-01 | 2002-09-05 | International Business Machines Corporataion | Scanning and outputting textual information in web page images |
GB2373130B (en) | 2001-03-05 | 2004-09-22 | Messagelabs Ltd | Method of,and system for,processing email in particular to detect unsolicited bulk email |
US6928465B2 (en) * | 2001-03-16 | 2005-08-09 | Wells Fargo Bank, N.A. | Redundant email address detection and capture system |
US6751348B2 (en) * | 2001-03-29 | 2004-06-15 | Fotonation Holdings, Llc | Automated detection of pornographic images |
US8949878B2 (en) | 2001-03-30 | 2015-02-03 | Funai Electric Co., Ltd. | System for parental control in video programs based on multimedia content information |
US6920477B2 (en) | 2001-04-06 | 2005-07-19 | President And Fellows Of Harvard College | Distributed, compressed Bloom filter Web cache server |
US8095597B2 (en) | 2001-05-01 | 2012-01-10 | Aol Inc. | Method and system of automating data capture from electronic correspondence |
US7188106B2 (en) * | 2001-05-01 | 2007-03-06 | International Business Machines Corporation | System and method for aggregating ranking results from various sources to improve the results of web searching |
US6768991B2 (en) * | 2001-05-15 | 2004-07-27 | Networks Associates Technology, Inc. | Searching for sequences of character data |
US7103599B2 (en) * | 2001-05-15 | 2006-09-05 | Verizon Laboratories Inc. | Parsing of nested internet electronic mail documents |
US20030009698A1 (en) * | 2001-05-30 | 2003-01-09 | Cascadezone, Inc. | Spam avenger |
US7502829B2 (en) * | 2001-06-21 | 2009-03-10 | Cybersoft, Inc. | Apparatus, methods and articles of manufacture for intercepting, examining and controlling code, data and files and their transfer |
US7328250B2 (en) * | 2001-06-29 | 2008-02-05 | Nokia, Inc. | Apparatus and method for handling electronic mail |
US20030009495A1 (en) | 2001-06-29 | 2003-01-09 | Akli Adjaoute | Systems and methods for filtering electronic content |
TW533380B (en) * | 2001-07-23 | 2003-05-21 | Ulead Systems Inc | Group image detecting method |
US6769016B2 (en) * | 2001-07-26 | 2004-07-27 | Networks Associates Technology, Inc. | Intelligent SPAM detection system using an updateable neural analysis engine |
US7146402B2 (en) | 2001-08-31 | 2006-12-05 | Sendmail, Inc. | E-mail system providing filtering methodology on a per-domain basis |
KR100369282B1 (en) | 2001-09-28 | 2003-01-24 | 주식회사 케이티 | An E-mail service system with anti-spam mail using virtual E-mail addresses and method therefor |
JP3590936B2 (en) | 2001-10-06 | 2004-11-17 | テラス テクノロジーズ,インコーポレイテッド | E-mail service system having dynamic IP filtering module and dynamic IP address filtering method |
US20060036701A1 (en) * | 2001-11-20 | 2006-02-16 | Bulfer Andrew F | Messaging system having message filtering and access control |
US8561167B2 (en) * | 2002-03-08 | 2013-10-15 | Mcafee, Inc. | Web reputation scoring |
JP2003263391A (en) | 2002-03-11 | 2003-09-19 | Nec Corp | Filtering method for junk mail |
US6785820B1 (en) | 2002-04-02 | 2004-08-31 | Networks Associates Technology, Inc. | System, method and computer program product for conditionally updating a security program |
US20030204569A1 (en) * | 2002-04-29 | 2003-10-30 | Michael R. Andrews | Method and apparatus for filtering e-mail infected with a previously unidentified computer virus |
US20030229672A1 (en) * | 2002-06-05 | 2003-12-11 | Kohn Daniel Mark | Enforceable spam identification and reduction system, and method thereof |
US8046832B2 (en) * | 2002-06-26 | 2011-10-25 | Microsoft Corporation | Spam detector with challenges |
US8924484B2 (en) * | 2002-07-16 | 2014-12-30 | Sonicwall, Inc. | Active e-mail filter with challenge-response |
US7363490B2 (en) * | 2002-09-12 | 2008-04-22 | International Business Machines Corporation | Method and system for selective email acceptance via encoded email identifiers |
US7188369B2 (en) | 2002-10-03 | 2007-03-06 | Trend Micro, Inc. | System and method having an antivirus virtual scanning processor with plug-in functionalities |
US20040083270A1 (en) | 2002-10-23 | 2004-04-29 | David Heckerman | Method and system for identifying junk e-mail |
US7149801B2 (en) * | 2002-11-08 | 2006-12-12 | Microsoft Corporation | Memory bound functions for spam deterrence and the like |
US6732157B1 (en) * | 2002-12-13 | 2004-05-04 | Networks Associates Technology, Inc. | Comprehensive anti-spam system, method, and computer program product for filtering unwanted e-mail messages |
WO2004059506A1 (en) | 2002-12-26 | 2004-07-15 | Commtouch Software Ltd. | Detection and prevention of spam |
US7171450B2 (en) * | 2003-01-09 | 2007-01-30 | Microsoft Corporation | Framework to enable integration of anti-spam technologies |
US7533148B2 (en) * | 2003-01-09 | 2009-05-12 | Microsoft Corporation | Framework to enable integration of anti-spam technologies |
US7725544B2 (en) * | 2003-01-24 | 2010-05-25 | Aol Inc. | Group based spam classification |
US7249162B2 (en) | 2003-02-25 | 2007-07-24 | Microsoft Corporation | Adaptive junk message filtering system |
US7543053B2 (en) | 2003-03-03 | 2009-06-02 | Microsoft Corporation | Intelligent quarantining for spam prevention |
US7219148B2 (en) | 2003-03-03 | 2007-05-15 | Microsoft Corporation | Feedback loop for spam prevention |
US20040177120A1 (en) * | 2003-03-07 | 2004-09-09 | Kirsch Steven T. | Method for filtering e-mail messages |
US7366761B2 (en) * | 2003-10-09 | 2008-04-29 | Abaca Technology Corporation | Method for creating a whitelist for processing e-mails |
US7320020B2 (en) * | 2003-04-17 | 2008-01-15 | The Go Daddy Group, Inc. | Mail server probability spam filter |
US7653698B2 (en) | 2003-05-29 | 2010-01-26 | Sonicwall, Inc. | Identifying e-mail messages from allowed senders |
US7293063B1 (en) | 2003-06-04 | 2007-11-06 | Symantec Corporation | System utilizing updated spam signatures for performing secondary signature-based analysis of a held e-mail to improve spam email detection |
US7263607B2 (en) | 2003-06-12 | 2007-08-28 | Microsoft Corporation | Categorizing electronic messages based on trust between electronic messaging entities |
US8533270B2 (en) * | 2003-06-23 | 2013-09-10 | Microsoft Corporation | Advanced spam detection techniques |
US7051077B2 (en) | 2003-06-30 | 2006-05-23 | Mx Logic, Inc. | Fuzzy logic voting method and system for classifying e-mail using inputs from multiple spam classifiers |
US7155484B2 (en) | 2003-06-30 | 2006-12-26 | Bellsouth Intellectual Property Corporation | Filtering email messages corresponding to undesirable geographical regions |
US20050015455A1 (en) * | 2003-07-18 | 2005-01-20 | Liu Gary G. | SPAM processing system and methods including shared information among plural SPAM filters |
US20050060643A1 (en) * | 2003-08-25 | 2005-03-17 | Miavia, Inc. | Document similarity detection and classification system |
US20050050150A1 (en) * | 2003-08-29 | 2005-03-03 | Sam Dinkin | Filter, system and method for filtering an electronic mail message |
US7451487B2 (en) | 2003-09-08 | 2008-11-11 | Sonicwall, Inc. | Fraudulent message detection |
US7257564B2 (en) | 2003-10-03 | 2007-08-14 | Tumbleweed Communications Corp. | Dynamic message filtering |
US7930351B2 (en) | 2003-10-14 | 2011-04-19 | At&T Intellectual Property I, L.P. | Identifying undesired email messages having attachments |
US7451184B2 (en) * | 2003-10-14 | 2008-11-11 | At&T Intellectual Property I, L.P. | Child protection from harmful email |
US7610341B2 (en) * | 2003-10-14 | 2009-10-27 | At&T Intellectual Property I, L.P. | Filtered email differentiation |
US7373385B2 (en) | 2003-11-03 | 2008-05-13 | Cloudmark, Inc. | Method and apparatus to block spam based on spam reports from a community of users |
US20050102366A1 (en) | 2003-11-07 | 2005-05-12 | Kirsch Steven T. | E-mail filter employing adaptive ruleset |
US20050120019A1 (en) | 2003-11-29 | 2005-06-02 | International Business Machines Corporation | Method and apparatus for the automatic identification of unsolicited e-mail messages (SPAM) |
US7359941B2 (en) * | 2004-01-08 | 2008-04-15 | International Business Machines Corporation | Method and apparatus for filtering spam email |
US7590694B2 (en) | 2004-01-16 | 2009-09-15 | Gozoom.Com, Inc. | System for determining degrees of similarity in email message information |
US7693943B2 (en) | 2004-01-23 | 2010-04-06 | International Business Machines Corporation | Classification of electronic mail into multiple directories based upon their spam-like properties |
US20050182735A1 (en) * | 2004-02-12 | 2005-08-18 | Zager Robert P. | Method and apparatus for implementing a micropayment system to control e-mail spam |
WO2005082101A2 (en) | 2004-02-26 | 2005-09-09 | Truefire, Inc. | Systems and methods for producing, managing, delivering, retrieving, and/or tracking permission based communications |
US20050204159A1 (en) * | 2004-03-09 | 2005-09-15 | International Business Machines Corporation | System, method and computer program to block spam |
US7627670B2 (en) * | 2004-04-29 | 2009-12-01 | International Business Machines Corporation | Method and apparatus for scoring unsolicited e-mail |
US7155243B2 (en) | 2004-06-15 | 2006-12-26 | Tekelec | Methods, systems, and computer program products for content-based screening of messaging service messages |
US20060123083A1 (en) * | 2004-12-03 | 2006-06-08 | Xerox Corporation | Adaptive spam message detector |
US7937480B2 (en) * | 2005-06-02 | 2011-05-03 | Mcafee, Inc. | Aggregation of reputation data |
US7971137B2 (en) * | 2005-12-14 | 2011-06-28 | Google Inc. | Detecting and rejecting annoying documents |
-
2003
- 2003-06-04 US US10/454,168 patent/US7272853B2/en active Active
-
2004
- 2004-03-25 US US10/809,163 patent/US7464264B2/en not_active Expired - Fee Related
- 2004-05-17 TW TW093113883A patent/TWI353146B/en not_active IP Right Cessation
- 2004-05-18 JP JP2004148159A patent/JP4672285B2/en not_active Expired - Lifetime
- 2004-05-20 CA CA2467869A patent/CA2467869C/en not_active Expired - Lifetime
- 2004-05-21 MY MYPI20041958A patent/MY142668A/en unknown
- 2004-05-21 EP EP04102242.7A patent/EP1484893B1/en not_active Expired - Lifetime
- 2004-05-24 ZA ZA200404018A patent/ZA200404018B/en unknown
- 2004-05-25 KR KR1020040037227A patent/KR101137065B1/en active IP Right Grant
- 2004-05-25 AU AU2004202268A patent/AU2004202268B2/en not_active Expired
- 2004-05-27 BR BRPI0401849A patent/BRPI0401849B1/en not_active IP Right Cessation
- 2004-05-28 US US10/856,978 patent/US7409708B2/en active Active
- 2004-06-02 MX MXPA04005335A patent/MXPA04005335A/en active IP Right Grant
- 2004-06-03 PL PL04368364A patent/PL368364A1/en not_active Application Discontinuation
- 2004-06-03 RU RU2004116904/09A patent/RU2378692C2/en not_active IP Right Cessation
- 2004-06-04 CN CN2004100639539A patent/CN1573784B/en not_active Expired - Lifetime
-
2007
- 2007-01-09 US US11/621,363 patent/US7665131B2/en not_active Expired - Lifetime
Also Published As
Publication number | Publication date |
---|---|
US7464264B2 (en) | 2008-12-09 |
CA2467869A1 (en) | 2004-12-04 |
JP4672285B2 (en) | 2011-04-20 |
MY142668A (en) | 2010-12-15 |
JP2004362559A (en) | 2004-12-24 |
RU2004116904A (en) | 2005-11-10 |
TWI353146B (en) | 2011-11-21 |
RU2378692C2 (en) | 2010-01-10 |
AU2004202268A1 (en) | 2004-12-23 |
ZA200404018B (en) | 2005-05-20 |
TW200509615A (en) | 2005-03-01 |
BRPI0401849A (en) | 2005-02-09 |
EP1484893B1 (en) | 2017-07-05 |
US20070118904A1 (en) | 2007-05-24 |
MXPA04005335A (en) | 2005-03-31 |
EP1484893A3 (en) | 2006-05-24 |
US20050022031A1 (en) | 2005-01-27 |
US20050022008A1 (en) | 2005-01-27 |
US7665131B2 (en) | 2010-02-16 |
CN1573784A (en) | 2005-02-02 |
US7409708B2 (en) | 2008-08-05 |
BRPI0401849B1 (en) | 2017-04-11 |
EP1484893A2 (en) | 2004-12-08 |
PL368364A1 (en) | 2004-12-13 |
KR101137065B1 (en) | 2012-07-02 |
AU2004202268B2 (en) | 2009-12-03 |
CN1573784B (en) | 2012-11-07 |
KR20040104902A (en) | 2004-12-13 |
US7272853B2 (en) | 2007-09-18 |
US20040260922A1 (en) | 2004-12-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2467869C (en) | Origination/destination features and lists for spam prevention | |
US9501746B2 (en) | Systems and methods for electronic message analysis | |
US7660865B2 (en) | Spam filtering with probabilistic secure hashes | |
US8194564B2 (en) | Message filtering method | |
US8392357B1 (en) | Trust network to reduce e-mail spam | |
US8533270B2 (en) | Advanced spam detection techniques | |
US7475118B2 (en) | Method for recognizing spam email | |
EP1877904B1 (en) | Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources | |
US7562122B2 (en) | Message classification using allowed items | |
US8266215B2 (en) | Using distinguishing properties to classify messages | |
US20050015626A1 (en) | System and method for identifying and filtering junk e-mail messages or spam based on URL content | |
US8291024B1 (en) | Statistical spamming behavior analysis on mail clusters | |
US20040143635A1 (en) | Regulating receipt of electronic mail | |
EP1738519A1 (en) | Method and system for url-based screening of electronic communications | |
US20060075099A1 (en) | Automatic elimination of viruses and spam | |
NL1040630C2 (en) | Method and system for email spam elimination and classification, using recipient defined codes and sender response. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request |